Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities were disclosed across a range of Adobe products (Adobe Bridge, Dreamweaver, InCopy, InDesign, the Substance 3D suite, ColdFusion’s Apache Tika dependency, and Illustrator), including heap-based buffer overflows, OS command injection, improper input validation, access of uninitialized pointers, out-of-bounds reads/writes, use-after-free, NULL pointer dereference, and an XXE. The advisory lists numerous CVEs (e.g., CVE-2026-21267 through CVE-2026-21308) and warns that the most severe vulnerabilities could permit arbitrary code execution as the logged-on user—potentially enabling program installation, data access/modification, or account creation—while noting that users with limited privileges would be less impacted.