CVE-2026-48275

Adobe · Illustrator Desktop

Adobe Illustrator is susceptible to an untrusted search path vulnerability that could allow an attacker to execute arbitrary code with the privileges of the current user.

Executive summary

A high-severity untrusted search path vulnerability in Adobe Illustrator Desktop allows for arbitrary code execution, posing a significant risk to local system integrity.

Vulnerability

This is an untrusted search path vulnerability (CWE-426) where the application improperly validates directory paths during file operations. An attacker can leverage this flaw to execute arbitrary code, provided they can trick the user into performing an action.

Business impact

The successful exploitation of this vulnerability results in full code execution under the context of the logged-in user. This could lead to total compromise of the workstation, unauthorized data access, and the potential for lateral movement within the corporate network. With a CVSS score of 8.6, this flaw represents a high risk to organizational security.

Remediation

Immediate Action: Update Adobe Illustrator Desktop to version 30.6 for the 2026 release or version 29.8.9 for the 2025 release to patch the search path flaw.

Proactive Monitoring: Review endpoint security logs for unexpected process execution or unauthorized file modifications in application directories.

Compensating Controls: Implement strict application control policies to prevent the execution of untrusted binaries and enforce the principle of least privilege for local users.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Given the potential for complete system compromise, organizations should prioritize patching Adobe Illustrator installations. Administrators must verify that all instances are updated to the specified fixed versions to eliminate this risk effectively.