Adobe Illustrator contains a critical improper input validation flaw (CVSS 9.3) that lets a malicious file execute arbitrary code in the context of the current user.
What Is It
CVE-2026-48334 is an Improper Input Validation vulnerability (CWE-20) in Adobe Illustrator. When a victim opens a specially crafted malicious file, the flaw can result in arbitrary code execution in the context of the current user. Because the vulnerability has a changed scope, the impact can extend beyond the initially vulnerable component. The issue was published on July 14, 2026, and is credited to Adobe's PSIRT.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.3 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. Attack complexity is low and no privileges are required, though exploitation does require user interaction; a victim must open a malicious file. Successful exploitation yields high confidentiality and integrity impact. The combination of a low-complexity attack, high impact, and a design tool commonly used to open externally-supplied files makes this an attractive target for social-engineering-driven campaigns.
What's Vulnerable
- Illustrator Desktop 2026: versions up to and including 30.5 are affected.
- Illustrator Desktop 2025: versions up to and including 29.8.7 are affected.
Patch Status
Adobe has released fixed builds. Users should update to the unaffected versions:
- Illustrator 2026: version 30.6 or later.
- Illustrator 2025: version 29.8.9 or later.
Refer to Adobe Security Bulletin APSB26-79 for full remediation guidance. This CVE does not currently appear in the CISA KEV catalog, and there is no confirmation of active exploitation in the supplied source material.
Sources
- Adobe Security Bulletin (APSB26-79), https://helpx.adobe.com/security/products/illustrator/apsb26-79.html
- NVD, CVE-2026-48334, https://nvd.nist.gov/vuln/detail/CVE-2026-48334