Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:
Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203):
Adobe Acrobat Reader:
- Use After Free (CVE-2026-27220, CVE-2026-27278)
- Improper Verification of Cryptographic Signature (CVE-2026-27221)
Adobe Commerce:
- Cross-site Scripting (Stored XSS) (CVE-2026-21361, CVE-2026-21284, CVE-2026-21290, CVE-2026-21311, CVE-2026-21291, CVE-2026-21292)
- Incorrect Authorization (CVE-2026-21289, CVE-2026-21309, CVE-2026-21285, CVE-2026-21286, CVE-2026-21359, CVE-2026-21296, CVE-2026-21297)
- Server-Side Request Forgery (SSRF) (CVE-2026-21293, CVE-2026-21294)
- Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CVE-2026-21360)
- Improper Input Validation (CVE-2026-21282, CVE-2026-21310)
- URL Redirection to Untrusted Site (‘Open Redirect’) (CVE-2026-21295)
Adobe DNG Software Development Kit (SDK):
- Out-of-bounds Write (CVE-2026-27280)
- Integer Overflow or Wraparound (CVE-2026-27281)
Adobe Experience Manager:
- Cross-site Scripting (Stored XSS) (CVE-2026-27223, CVE-2026-27224, CVE-2026-27225, CVE-2026-27227, CVE-2026-27228, CVE-2026-27229, CVE-2026-27230, CVE-2026-27231, CVE-2026-27232, CVE-2026-27233, CVE-2026-27234, CVE-2026-27235, CVE-2026-27236, CVE-2026-27237, CVE-2026-27239, CVE-2026-27240, CVE-2026-27241, CVE-2026-27242, CVE-2026-27244, CVE-2026-27248, CVE-2026-27249, CVE-2026-27250, CVE-2026-27251, CVE-2026-27252, CVE-2026-27253, CVE-2026-27254, CVE-2026-27255, CVE-2026-27256, CVE-2026-27257, CVE-2026-27262, CVE-2026-27265, CVE-2026-27266)
- Cross-site Scripting (DOM-based XSS) (CVE-2026-27247)
Adobe Premiere Pro:
- Out-of-bounds Read (CVE-2026-27269)
Substance 3D Painter:
- NULL Pointer Dereference (CVE-2026-21363, CVE-2026-21364, CVE-2026-27214, CVE-2026-27215, CVE-2026-27217, CVE-2026-27218)
- Out-of-bounds Read (CVE-2026-21365, CVE-2026-27216, CVE-2026-27219)
Substance 3D Stager:
- Out-of-bounds Write (CVE-2026-27273, CVE-2026-27274, CVE-2026-27275, CVE-2026-27279)
- Use After Free (CVE-2026-27276, CVE-2026-27277)
Adobe Illustrator:
- Untrusted Search Path (CVE-2026-21333)
- Out-of-bounds Write (CVE-2026-21362, CVE-2026-27272)
- Heap-based Buffer Overflow (CVE-2026-27271)
- Stack-based Buffer Overflow (CVE-2026-27267)
- Out-of-bounds Read (CVE-2026-27268, CVE-2026-27270)
Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
