CVE-2026-21280
Untrusted Search Path in Adobe Illustrator Enables Code Execution
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | illustrator | to 30.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Untrusted Search Path issue in Adobe Illustrator versions 29.8.3, 30.0 and earlier. It occurs when the application uses a search path to locate critical resources like programs. An attacker can modify this search path to point to a malicious program, which the application would then execute in the context of the current user. Exploitation requires the victim to open a malicious file, changing the scope and enabling arbitrary code execution.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code with the privileges of the current user. This could lead to unauthorized actions such as installing malware, stealing data, or damaging the system. The impact includes potential full compromise of the user's environment depending on their permissions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid opening files from untrusted sources in affected versions of Illustrator (29.8.3, 30.0 and earlier). Ensure that the search path used by the application is secure and not modifiable by untrusted users. Consider updating to a version of Illustrator that addresses this vulnerability once available.