{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34628", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-03-30T17:30:36.490Z", "datePublished": "2026-04-14T17:05:10.542Z", "dateUpdated": "2026-04-14T18:22:03.150Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "InDesign Desktop", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "21.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.8, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.8, "temporalSeverity": "HIGH", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow (CWE-122)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T17:05:10.542Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/indesign/apsb26-32.html"}], "source": {"discovery": "EXTERNAL"}, "title": "InDesign Desktop | Heap-based Buffer Overflow (CWE-122)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T18:21:51.967452Z", "id": "CVE-2026-34628", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:22:03.150Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34628", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T18:21:51.967452Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:21:59.552Z"}}], "cna": {"title": "InDesign Desktop | Heap-based Buffer Overflow (CWE-122)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 7.8, "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "HIGH", "availabilityImpact": "HIGH", "environmentalScore": 7.8, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "HIGH", "environmentalSeverity": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "HIGH", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "InDesign Desktop", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "21.2"}], "defaultStatus": "affected"}], "datePublic": "2026-04-14T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/indesign/apsb26-32.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap-based Buffer Overflow (CWE-122)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T17:05:10.542Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34628", "state": "PUBLISHED", "dateUpdated": "2026-04-14T18:22:03.150Z", "dateReserved": "2026-03-30T17:30:36.490Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-04-14T17:05:10.542Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*", "matchCriteriaId": "5644C156-EB3C-4F24-A9E8-ABB5EA61F2A9", "versionEndExcluding": "20.5.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6F7C5A5-F818-4184-81C3-35282D05CBEA", "versionEndExcluding": "21.3", "versionStartIncluding": "21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-34628", "lastModified": "2026-04-16T21:22:22.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-04-14T18:17:37.060", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/indesign/apsb26-32.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,21.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InDesign Desktop", "source": "cna", "vendor": "Adobe"}, "product": "indesign_desktop", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T19:38:11.410483+00:00", "value": {"mitigation_remediation": ["Update Adobe InDesign to the latest available release that includes the patch for CVE-2026-34628.", "If a patch is unavailable, verify that the software is configured to warn users before opening unknown or untrusted files, and follow organizational file\u2011handling policies.", "Monitor for any anomalous activity on systems running affected versions and apply additional security controls such as application whitelisting if possible."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Adobe InDesign Desktop applications are impacted. Versions 20.5.2, 21.2 and all earlier releases are vulnerable. The vulnerability does not affect newer releases beyond those listed.", "description_and_impact": "The flaw is a heap-based buffer overflow in the desktop version of Adobe InDesign. A crafted malicious file can exploit the overflow to execute arbitrary code in the context of the user who opens the file. This leads to a loss of confidentiality, integrity, and availability for the affected system because the attacker can run any code with the victim\u2019s privileges.", "risk_and_exploitability": "The CVSS rating of 7.8 reflects a moderate to high severity. EPSS data is not available, and the issue is not present in CISA\u2019s Known Exploited Vulnerabilities catalog. Exploitation requires local user interaction: an attacker must entice the victim to open a malicious file. Once executed, the attacker gains the victim\u2019s user privileges, allowing code execution, data exfiltration, or further malware deployment. Users should consider this a significant risk if they frequently handle untrusted documents."}}}}, "created": "2026-04-15T14:31:56.909763+00:00", "updated": "2026-04-15T14:41:09.781557+00:00", "vendors": ["adobe", "adobe$PRODUCT$indesign_desktop"]}