CVE-2026-27290
Published: 14 April 2026
Summary
CVE-2026-27290 is a high-severity Untrusted Search Path (CWE-426) vulnerability in Adobe Framemaker. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception (T1034); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of vendor patches directly remediates the untrusted search path flaw in Adobe FrameMaker, preventing arbitrary code execution.
Malicious code protection scans for and prevents execution of attacker-placed malicious programs that exploit the untrusted search path.
Restricting system execution to only authorized software prevents FrameMaker from loading and running malicious executables via manipulated search paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Untrusted search path (CWE-426) directly enables path interception by allowing an attacker to place a malicious executable in a location searched before the legitimate resource, hijacking execution flow at application launch (T1574.008 / legacy T1034).
NVD Description
Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources…
more
such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction.
Deeper analysisAI
CVE-2026-27290 is an Untrusted Search Path vulnerability (CWE-426) affecting Adobe FrameMaker versions 2022.8 and earlier. The flaw arises when the application relies on a search path to locate critical resources, such as programs, allowing an attacker to modify that path to redirect to a malicious executable. This could enable arbitrary code execution in the context of the current user.
A local attacker with no privileges required (PR:N) can exploit this vulnerability with low attack complexity (AC:L), though user interaction is rated as required (UI:R) per the CVSS v3.1 score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). By altering the search path, the attacker tricks FrameMaker into running their malicious code upon application launch or resource access, achieving high-impact confidentiality, integrity, and availability violations with elevated scope (S:C) in the user's security context. Notably, the vulnerability description indicates exploitation does not require user interaction.
Adobe's Security Bulletin APSB26-36 at https://helpx.adobe.com/security/products/framemaker/apsb26-36.html provides details on mitigation, including available patches for affected FrameMaker versions. Security practitioners should apply these updates promptly and review search path configurations to prevent unauthorized modifications.
Details
- CWE(s)