Adobe releases April 2026 patches for multiple products
Take action: If you use any Adobe products, prioritize updating Adobe Acrobat and Reader immediately since one of the vulnerabilities (CVE-2026-34621) is already being exploited in the wild, then update the rest of your Adobe software. Start with ColdFusion and Connect, which have critical flaws scoring above 9.0. If you can't update right away, avoid opening untrusted PDF files and restrict access to ColdFusion and Connect servers until patches are applied.
Learn More
Adobe has released its April 2026 security updates addressing critical, important, and moderate vulnerabilities across 11 product families. These flaws could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass, memory exposure, and application denial-of-service.
Adobe Acrobat and Reader (APSB26-43 & APSB26-44)
Critical Vulnerabilities
- CVE-2026-34621 (CVSS score 8.6) - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') that could lead to arbitrary code execution. (Note: Adobe is aware of this being exploited in the wild).
- CVE-2026-34622 (CVSS score 8.6) - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') that could lead to arbitrary code execution.
Important Vulnerabilities
- CVE-2026-34626 (CVSS score 6.3) - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') that could lead to arbitrary file system read.
Affected Versions:
- Acrobat DC - 26.001.21411 and earlier (Windows and macOS)
- Acrobat Reader DC - 26.001.21411 and earlier (Windows and macOS)
- Acrobat 2024 - Win 24.001.30362 and earlier, Mac 24.001.30360 and earlier (Windows and macOS)
Updated Versions:
- Acrobat DC - 26.001.21431 (Windows and macOS)
- Acrobat Reader DC - 26.001.21431 (Windows and macOS)
- Acrobat 2024 - 24.001.30365 (Windows and macOS)
Critical Vulnerabilities
- CVE-2026-34619 (CVSS score 7.7) - Path Traversal vulnerability that could lead to security feature bypass.
- CVE-2026-27304 (CVSS score 9.3) - Improper Input Validation vulnerability that could lead to arbitrary code execution.
- CVE-2026-27305 (CVSS score 8.6) - Path Traversal vulnerability that could lead to arbitrary file system read.
- CVE-2026-27282 (CVSS score 7.5) - Improper Input Validation vulnerability that could lead to security feature bypass.
- CVE-2026-27306 (CVSS score 8.4) - Improper Input Validation vulnerability that could lead to arbitrary code execution.
Moderate Vulnerabilities
- CVE-2026-27307 (CVSS score 2.4) - Uncontrolled Resource Consumption that could lead to application denial-of-service.
- CVE-2026-27308 (CVSS score 2.4) - Uncontrolled Resource Consumption that could lead to application denial-of-service.
Affected Versions:
- ColdFusion 2025 - Update 6 and earlier versions (All platforms)
- ColdFusion 2023 - Update 18 and earlier versions (All platforms)
Updated Versions:
- ColdFusion 2025 - Update 7 (All platforms)
- ColdFusion 2023 - Update 19 (All platforms)
Critical Vulnerabilities
- CVE-2026-27283 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2026-27284 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
- CVE-2026-27291 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2026-34627, CVE-2026-34628, CVE-2026-34629, CVE-2026-27238 (CVSS scores 7.8) - Heap-based Buffer Overflow vulnerabilities that could lead to arbitrary code execution.
Important Vulnerabilities
- CVE-2026-27285 (CVSS score 5.5) - Heap-based Buffer Overflow vulnerability that could lead to application denial-of-service.
- CVE-2026-27286 (CVSS score 5.5) - Heap-based Buffer Overflow vulnerability that could lead to memory exposure.
Affected Versions:
- Adobe InDesign - ID21.2 and earlier versions (Windows and macOS)
- Adobe InDesign - ID20.5.2 and earlier versions (Windows and macOS)
Updated Versions:
- Adobe InDesign - ID21.3 (Windows and macOS)
- Adobe InDesign - ID20.5.3 (Windows and macOS)
Critical Vulnerabilities
- CVE-2026-27302 (CVSS score 9.6) - Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution.
- CVE-2026-27303 (CVSS score 9.6) - Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution.
- CVE-2026-27243 (CVSS score 9.3) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-27245 (CVSS score 9.3) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-27246 (CVSS score 9.3) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-34615 (CVSS score 9.3) - Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution.
- CVE-2026-34617 (CVSS score 9.6) - Cross-site Scripting (XSS) vulnerability that could lead to privilege escalation.
Important Vulnerabilities
- CVE-2026-21331 (CVSS score 6.1) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-34614 (CVSS score 6.1) - Cross-site Scripting (Reflected XSS) vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe Connect - 12.10 and earlier (Windows and macOS)
- Connect Desktop App - 2025.3 and earlier (Windows and macOS)
Updated Versions:
- Adobe Connect - 12.11 (Windows and macOS)
- Connect Desktop App - 2025.9 (Windows)
Critical Vulnerabilities
- CVE-2026-27290 (CVSS score 8.6) - Untrusted Search Path vulnerability that could lead to arbitrary code execution.
- CVE-2026-27292 (CVSS score 7.8) - Use After Free vulnerability that could lead to arbitrary code execution.
- CVE-2026-27293 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2026-27294 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
- CVE-2026-27295 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
- CVE-2026-27296 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.
- CVE-2026-27297 (CVSS score 7.8) - Integer Underflow (Wrap or Wraparound) vulnerability that could lead to arbitrary code execution.
- CVE-2026-27298 (CVSS score 7.8) - Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could lead to arbitrary code execution.
Important Vulnerabilities
- CVE-2026-27299 (CVSS score 6.3) - Improper Input Validation vulnerability that could lead to arbitrary file system read.
- CVE-2026-27300 (CVSS score 5.5) - Access of Uninitialized Pointer vulnerability that could lead to memory exposure.
- CVE-2026-27301 (CVSS score 5.5) - Heap-based Buffer Overflow vulnerability that could lead to memory exposure.
Affected Versions:
- Adobe FrameMaker - 2022 Release Update 8 and earlier (Windows)
Updated Versions:
- Adobe FrameMaker - FrameMaker 2026 (Windows)
- Adobe FrameMaker - FrameMake 2022 Update 9 (Windows)
Critical Vulnerabilities
- CVE-2026-27309 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2026-27310 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2026-27311 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2026-27312 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
- CVE-2026-27313 (CVSS score 7.8) - Heap-based Buffer Overflow vulnerability that could lead to arbitrary code execution.
Important Vulnerability
- CVE-2026-27222 (CVSS score 5.5) - Divide By Zero vulnerability that could lead to application denial-of-service.
Affected Versions:
- Adobe Bridge - 15.1.4 (LTS) and earlier versions (Windows and macOS)
- Adobe Bridge - 16.0.2 and earlier versions (Windows and macOS)
Updated Versions:
- Adobe Bridge - 15.1.5 (LTS) (Windows and macOS)
- Adobe Bridge - 16.0.3 (Windows and macOS)
Critical Vulnerability
- CVE-2026-27289 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Photoshop 2026 - 27.4 and earlier versions (Windows)
Updated Versions:
- Photoshop 2026 - 27.5 (Windows and macOS)
Adobe DNG Software Development Kit (SDK)
Important Vulnerabilities
- CVE-2026-27258 (CVSS score 5.5) - Out-of-bounds Write vulnerability that could lead to application denial-of-service.
- CVE-2026-27259 (CVSS score 5.5) - Out-of-bounds Write vulnerability that could lead to application denial-of-service.
- CVE-2026-27260 (CVSS score 5.5) - Out-of-bounds Read vulnerability that could lead to memory exposure.
Affected Versions:
- Adobe DNG SDK - 1.7.1 build 2502 and earlier versions (All platforms)
Updated Versions:
- Adobe DNG SDK - 1.7.1 build 2536 (All platforms)
Critical Vulnerabilities
- CVE-2026-27287 (CVSS score 7.8) - Out-of-bounds Read vulnerability that could lead to arbitrary code execution.
- CVE-2026-27264 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Adobe InCopy - 21.2 and earlier versions (Windows and macOS)
- Adobe InCopy - 20.5.2 and earlier versions (Windows and macOS)
Updated Versions:
- Adobe InCopy - 21.3 (Windows and macOS)
- Adobe InCopy - 20.5.3 (Windows and macOS)
Adobe Experience Manager (AEM) Screens
Important Vulnerabilities
- CVE-2026-27288 (CVSS score 5.4) - Cross-site Scripting (Stored XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-34623 (CVSS score 5.4) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to privilege escalation.
- CVE-2026-34624 (CVSS score 5.4) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to arbitrary code execution.
- CVE-2026-34625 (CVSS score 5.4) - Cross-site Scripting (DOM-based XSS) vulnerability that could lead to arbitrary code execution.
Affected Versions:
- AEM Screens - 6.5 Service Pack 24 or earlier / Feature Pack 11.7 or earlier (All platforms)
Updated Versions:
- AEM Screens - Feature Pack 11.8 (All platforms)
Critical Vulnerability
- CVE-2026-34618 (CVSS score 7.8) - Out-of-bounds Write vulnerability that could lead to arbitrary code execution.
Affected Versions:
- Illustrator 2025 - 29.8.5 and earlier versions (Windows)
- Illustrator 2026 - 30.2 and earlier versions (Windows)
Updated Versions:
- Illustrator 2025 - 29.8.6 (Windows and macOS)
- Illustrator 2026 - 30.3 (Windows and macOS)
Adobe claims that they are not aware of any exploits in the wild for any of the issues addressed in these updates, with the exception of CVE-2026-34621 in Acrobat. Users are strongly encouraged to update their software to the latest versions.
