CVE-2026-21280
Published: 13 January 2026
Summary
CVE-2026-21280 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Adobe Illustrator. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the untrusted search path flaw in Adobe Illustrator by requiring timely patching of known vulnerabilities like CVE-2026-21280 to prevent arbitrary code execution.
Enforces least functionality by restricting execution to essential approved programs, blocking the malicious executable loaded via the manipulated search path.
Deploys malicious code protection at key points in the system to scan for, detect, and prevent execution of the attacker's malicious program exploited through the untrusted search path.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path (CWE-426) directly enables path interception by search order hijacking to execute attacker-controlled malicious executables.
NVD Description
Illustrator versions 29.8.3, 30.0 and earlier are affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses a search path to locate critical resources such…
more
as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Deeper analysisAI
Adobe Illustrator versions 29.8.3, 30.0, and earlier are affected by CVE-2026-21280, an untrusted search path vulnerability classified under CWE-426. This flaw allows an attacker to manipulate the application's search path for critical resources, such as programs, causing Illustrator to execute a malicious program instead. Successful exploitation leads to arbitrary code execution in the context of the current user, with a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting high impact due to low attack complexity, no required privileges, user interaction, and changed scope.
Exploitation requires local access and user interaction, where a victim must open a malicious file in the vulnerable Illustrator version. An attacker with no privileges can modify the search path to redirect to their malicious executable, which the application then runs upon file opening. This results in full arbitrary code execution with the privileges of the current user, potentially enabling data theft, persistence, or further system compromise.
Adobe's security bulletin APSB26-03 provides details on the vulnerability and mitigation, available at https://helpx.adobe.com/security/products/illustrator/apsb26-03.html. Security practitioners should advise users to apply patches promptly and avoid opening untrusted files in affected versions.
Details
- CWE(s)