{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27291", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-02-18T22:02:41.395Z", "datePublished": "2026-04-14T16:45:50.319Z", "dateUpdated": "2026-04-15T03:58:31.384Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "InDesign Desktop", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "21.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "datePublic": "2026-04-14T17:00:00.000Z", "descriptions": [{"lang": "en", "value": "InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 7.8, "environmentalSeverity": "HIGH", "exploitCodeMaturity": "NOT_DEFINED", "integrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "HIGH", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "UNCHANGED", "modifiedUserInteraction": "REQUIRED", "privilegesRequired": "NONE", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "scope": "UNCHANGED", "temporalScore": 7.8, "temporalSeverity": "HIGH", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "Out-of-bounds Write (CWE-787)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T16:45:50.319Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://helpx.adobe.com/security/products/indesign/apsb26-32.html"}], "source": {"discovery": "EXTERNAL"}, "title": "InDesign Desktop | Out-of-bounds Write (CWE-787)"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-27291"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T03:58:31.384Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27291", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T19:39:33.758682Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:39:38.994Z"}}], "cna": {"title": "InDesign Desktop | Out-of-bounds Write (CWE-787)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 7.8, "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "HIGH", "availabilityImpact": "HIGH", "environmentalScore": 7.8, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "HIGH", "environmentalSeverity": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "HIGH", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "InDesign Desktop", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "21.2"}], "defaultStatus": "affected"}], "datePublic": "2026-04-14T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/indesign/apsb26-32.html", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "Out-of-bounds Write (CWE-787)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T16:45:50.319Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27291", "state": "PUBLISHED", "dateUpdated": "2026-04-15T03:58:31.384Z", "dateReserved": "2026-02-18T22:02:41.395Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-04-14T16:45:50.319Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*", "matchCriteriaId": "5644C156-EB3C-4F24-A9E8-ABB5EA61F2A9", "versionEndExcluding": "20.5.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:indesign:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6F7C5A5-F818-4184-81C3-35282D05CBEA", "versionEndExcluding": "21.3", "versionStartIncluding": "21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-27291", "lastModified": "2026-04-16T21:23:06.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@adobe.com", "type": "Primary"}]}, "published": "2026-04-14T17:16:48.507", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/indesign/apsb26-32.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,21.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "InDesign Desktop", "source": "cna", "vendor": "Adobe"}, "product": "indesign_desktop", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T18:54:40.884991+00:00", "value": {"mitigation_remediation": ["Upgrade Adobe InDesign Desktop to the latest version or apply the vendor\u2011issued patch that addresses the out\u2011of\u2011bounds write", "If an immediate update is unavailable, refrain from opening untrusted InDesign files until the update is applied", "Consider disabling automatic file opening or implementing sandboxing for InDesign to limit the impact of any potential exploitation"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Affected are Adobe InDesign Desktop releases 20.5.2, version 21.2 and any earlier builds. These versions are included in the 2026 Adobe product suite and are deployed in creative studios and graphic design environments.", "description_and_impact": "Adobe InDesign Desktop versions 20.5.2, 21.2 and earlier suffer an out\u2011of\u2011bounds write that allows a malicious document to corrupt memory and execute code with the privileges of the user who opens the file. The flaw originates from improper bounds checking during parsing of certain file formats. Successful exploitation can lead to arbitrary code execution, providing the attacker full control over the affected system in the context of the compromised user.", "risk_and_exploitability": "The CVSS base score of 7.8 indicates a high severity. EPSS data is not reported, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires user interaction: the victim must open a specially crafted InDesign file. As the flaw is triggered during file parsing, the likely attack vector is a malicious document or a file embedded in a phishing email. Given the user\u2011interaction prerequisite, the risk is medium to high for individuals who frequently open unknown design files."}}}}, "created": "2026-04-15T14:31:56.931001+00:00", "updated": "2026-04-15T15:30:06.808161+00:00", "vendors": ["adobe", "adobe$PRODUCT$indesign_desktop"]}