CVE-2026-47937
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
An Uncontrolled Search Path Element vulnerability in Acrobat Reader allows arbitrary code execution in the context of the current user. An attacker with high privileges can exploit this, requiring user interaction (opening a malicious file). The scope is changed.
Risk Assessment
The risk for the organization is the potential takeover of a user's workstation by an attacker with high privileges, leading to data theft or further network propagation.
Recommendation
Immediately update Acrobat Reader to version 24.001.30366, 26.001.21652 or later. Also restrict opening files from untrusted sources.
Original NVD description (English source)
Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. An attacker with high privileges could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

