In this week’s CVE of the Week, we’re looking at a critical, actively exploited vulnerability in Adobe Acrobat and Adobe Reader that allows attackers to execute arbitrary code by simply getting a user to open a malicious PDF file.

CVE‑2026‑34621 is a high‑severity vulnerability with a CVSS score of 8.6, caused by improperly controlled modification of object prototype attributes (prototype pollution) in the JavaScript processing engine used by Acrobat and Reader. When a specially crafted PDF is opened, an attacker can manipulate internal objects and invoke privileged application functions, ultimately leading to arbitrary code execution in the context of the current user.

While exploitation requires user interaction in the form of opening a PDF, Adobe has confirmed that this vulnerability has been actively exploited in the wild since late 2025. Researchers observed malicious documents performing system profiling before potentially deploying additional payloads, indicating targeted and controlled attacks rather than opportunistic scans.

The issue has been fixed in version 26.001.21411 of Acrobat DC and Acrobat Reader DC, and versions 24.001.30362 and 24.001.30360 of Acrobat 2024 released in April 2026, and users are strongly advised to apply the latest patches immediately. Due to active exploitation and the popularity of PDFs as an attack vector, unpatched systems remain at significant risk.

For more information:
https://nvd.nist.gov/vuln/detail/CVE-2026-34621
https://helpx.adobe.com/security/products/acrobat/apsb26-43.html
https://www.securityweek.com/adobe-patches-reader-zero-day-exploited-for-months

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.

Week 16 – Trusted Format, Hidden Threat: Exploiting Adobe Reader via PDF

13 -19 Apr 2026

In this week’s CVE of the Week, we’re looking at a critical, actively exploited vulnerability in Adobe Acrobat and Adobe Reader that allows attackers to execute arbitrary code by simply getting a user to open a malicious PDF file.

Third Party & Supply Chain Cyber Security Summit

The Cyber Outstanding Security Performance Awards

Ai EverythingAbu Dhabi EXPO

Women in Tech Global Conference 2026

CyberX – UAE