CVE-2026-27303
Published: 14 April 2026
Summary
CVE-2026-27303 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability tracked as CWE-502. The flaw carries a CVSS 3.1 score of 9.6 and can result in arbitrary code execution in the context of the current user, with changed scope.
An attacker can exploit the issue by supplying a maliciously crafted URL or compromised web page that the victim must visit or interact with. Successful exploitation grants the attacker the ability to execute arbitrary code without requiring authentication or other privileges.
The official Adobe advisory at https://helpx.adobe.com/security/products/connect/apsb26-37.html addresses the issue and outlines available patches and mitigation steps for affected Connect installations.
The associated EPSS score remains flat at 0.0470 with no material rise from its initial value, indicating limited observed exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22667
Vulnerability details
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a…
more
victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-27303 is a deserialization vulnerability in the public-facing Adobe Connect web application enabling remote arbitrary code execution with no privileges required, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of untrusted serialized data supplied via malicious URLs before deserialization occurs, directly blocking arbitrary code execution.
Deploys malicious-code detection mechanisms that can identify and block the payload resulting from successful deserialization of attacker-controlled data.
Requires timely application of vendor patches that remediate the deserialization flaw in Adobe Connect versions 2025.3 and earlier.