Critical Adobe Acrobat Reader Flaw Exploited in the Wild: CVE-2026-34621 Under Active Attack
**Adobe** has issued emergency updates to address a critical vulnerability in **Acrobat Reader**, **CVE-2026-34621**, which is currently being actively exploited. This flaw, a prototype pollution issue, could allow attackers to execute arbitrary code on affected systems.
**Adobe** has released emergency updates to fix a critical security flaw in **Acrobat Reader** that has come under active exploitation in the wild.
The vulnerability, assigned the CVE identifier **CVE-2026-34621**, carries a CVSS score of 8.6 out of 10.0. Successful exploitation of the flaw could allow an attacker to run malicious code on affected installations.
It has been described as a case of prototype pollution that could result in arbitrary code execution. Prototype pollution refers to a **JavaScript** security vulnerability that permits an attacker to manipulate an application's objects and properties.
The issue impacts the following products and versions for both Windows and macOS:
* Acrobat DC versions 26.001.21367 and earlier (Fixed in 26.001.21411)
* Acrobat Reader DC versions 26.001.21367 and earlier (Fixed in 26.001.21411)
* Acrobat 2024 versions 24.001.30356 and earlier (Fixed in 24.001.30362 for Windows and 24.001.30360 for macOS)
**Adobe** acknowledged that it's "aware of **CVE-2026-34621** being exploited in the wild."
The development comes days after security researcher and EXPMON founder **Haifei Li** disclosed details of zero-day exploitation of the flaw to run malicious **JavaScript** code when opening specially crafted PDF documents through **Adobe Reader**. There is evidence suggesting that the vulnerability may have been under exploitation since December 2025.
"It appears that **Adobe** has determined the bug can lead to arbitrary code execution β not just an information leak," EXPMON in a post on X. "This aligns with our findings and those of other security researchers over the last few days."
### Update
The U.S. **Cybersecurity and Infrastructure Security Agency (CISA)**, on April 13, 2026, added **CVE-2026-34621** to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by April 27, 2026.
*(The story was updated after publication to reflect the change in CVSS score from 9.6 to 8.6. In a revision to its advisory on April 12, 2026, **Adobe** said it adjusted the attack vector from Network (AV:N) to Local (AV:L).)*