CVE-2026-34615

Critical

Published: 14 April 2026

Published

14 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0359 87.8th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts…

into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Applying vendor patches for CVE-2026-34615 directly remediates the deserialization flaw in Adobe Connect, preventing arbitrary code execution from untrusted data.

SI-10 Information Input Validation good match

prevent

Validating untrusted information inputs prior to deserialization blocks malicious payloads delivered via crafted URLs exploiting CVE-2026-34615.

SI-16 Memory Protection partial match

prevent

Memory protection mechanisms mitigate arbitrary code execution resulting from successful deserialization exploitation in CVE-2026-34615.

Security SummaryAI

CVE-2026-34615 is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting Adobe Connect versions 2025.3, 12.10, and earlier. This flaw allows arbitrary code execution in the context of the current user, with a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, no required privileges, user interaction, changed scope, and significant impacts on confidentiality and integrity.

An unauthenticated attacker can exploit this vulnerability by tricking a victim into visiting a maliciously crafted URL or interacting with a compromised web page. Successful exploitation enables the injection of malicious scripts into a web page, potentially granting the attacker elevated access or control over the victim's account or session.

Adobe has published security bulletin APSB26-37 at https://helpx.adobe.com/security/products/connect/apsb26-37.html, which provides details on mitigation, including available patches for affected versions.

Details

CWE(s): CWE-502

Affected Products

adobe

connect

≤ 12.11

adobe

connect desktop application

≤ 2025.3 · ≤ 2025.9.15

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-34615 is a deserialization vulnerability in Adobe Connect, a public-facing web application, enabling remote arbitrary code execution with no privileges required (AV:N/AC:L/PR:N), directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://helpx.adobe.com/security/products/connect/apsb26-37.html
Vendor Advisory · psirt@adobe.com