{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21281", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2025-12-12T22:01:18.188Z", "datePublished": "2026-01-13T18:45:30.580Z", "dateUpdated": "2026-02-26T15:04:14.608Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "InCopy", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "19.5.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-01-13T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.8, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.8, "temporalSeverity": "HIGH", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow (CWE-122)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-01-13T18:45:30.580Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/incopy/apsb26-04.html"}], "source": {"discovery": "EXTERNAL"}, "title": "InCopy | Heap-based Buffer Overflow (CWE-122)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:57:38.563465Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:14.608Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T04:57:38.563465Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T18:58:55.224Z"}}], "cna": {"title": "InCopy | Heap-based Buffer Overflow (CWE-122)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 7.8, "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "HIGH", "availabilityImpact": "HIGH", "environmentalScore": 7.8, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "HIGH", "environmentalSeverity": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "HIGH", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "InCopy", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "19.5.5"}], "defaultStatus": "affected"}], "datePublic": "2026-01-13T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/incopy/apsb26-04.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap-based Buffer Overflow (CWE-122)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-01-13T18:45:30.580Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21281", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:14.608Z", "dateReserved": "2025-12-12T22:01:18.188Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-01-13T18:45:30.580Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:incopy:*:*:*:*:*:*:*:*", "matchCriteriaId": "787164DB-0C13-412F-9E57-271AE10CB605", "versionEndExcluding": "20.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:incopy:21.0:*:*:*:*:*:*:*", "matchCriteriaId": "74CF36EE-020C-4620-A213-9DAFF04E24BE", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InCopy versions 21.0, 19.5.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-21281", "lastModified": "2026-01-14T19:28:33.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-01-13T19:16:25.857", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/incopy/apsb26-04.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "psirt@adobe.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:34:12.841453+00:00", "value": {"mitigation_remediation": ["Download and install the security update for Adobe InCopy supplied in Adobe's 2026 AP Security Advisory 26\u201104.", "Upgrade to a version that is not impacted, such as InCopy 21.1 or later, or any release released after the advisory.", "Implement file\u2011type restrictions or endpoint protection that prevents users from opening unknown or untrusted documents."], "summary": {"action": "Apply Patch", "impact": "Arbitrary code execution via heap-based buffer overflow"}, "threat_synthesis": {"affected_systems": "Affected installations include any Adobe InCopy deployment running the affected releases, regardless of operating system. The vulnerable versions are 21.0, 19.5.5 and all previous releases. As the products operate on Windows and macOS platforms, any user running those environments is at risk if an older version is in use.", "description_and_impact": "An attacker can exploit a heap-based buffer overflow in Adobe InCopy versions 21.0, 19.5.5 and earlier by delivering a specially crafted file. When a victim opens this file, the vulnerable code can overwrite memory and execute arbitrary code with the privileges of the current user. The weakness arises from improper bounds checking while parsing document data, classifying it under CWE\u2011122 and CWE\u2011787. Successful exploitation can compromise the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS v3 score of 7.8 indicates a high severity. The EPSS score of less than 1% indicates that the likelihood of exploitation in the wild is currently very low, and Adobe is not listed in the CISA KEV catalog. Nevertheless, the vulnerability requires user interaction\u2014a malicious file must be opened\u2014so the threat surface is limited to environments where users have the ability to access or download files from untrusted sources."}}}}, "created": "2026-01-14T11:07:44.418567+00:00", "updated": "2026-04-18T06:45:23.958500+00:00", "vendors": ["adobe", "adobe$PRODUCT$incopy"]}