Published: April 11, 2026 | Last Modified: April 11, 2026
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
This vulnerability is on CISA's Known Exploited Vulnerabilities catalog, meaning it has been confirmed exploited in the wild. Federal agencies are required to patch by 2026-04-27.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation Probability (EPSS): Low — 0.04% (11th percentile)
Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.