CVE-2026-34703 – Adobe InDesign Desktop

CVSS 5.5 MODERATE High with EoP or RCE – Expedited Deployment

“A malicious document can turn a creative workflow into a code execution opportunity.”

Adobe patched multiple vulnerabilities in InDesign Desktop versions 21.3, 20.5.3, and earlier. CVE-2026-34695, CVE-2026-34696, CVE-2026-34697, CVE-2026-34698, CVE-2026-34699, CVE-2026-34700, CVE-2026-34701, and CVE-2026-34702 each have a CVSS score of 7.8, which is High severity. CVE-2026-34703 has a CVSS score of 5.5, which is Medium severity.

The update addresses stack-based buffer overflows, heap-based buffer overflows, use-after-free conditions, out-of-bounds writes, and a NULL pointer dereference vulnerability. Successful exploitation could allow arbitrary code execution in the context of the current user or cause application denial of service. All vulnerabilities require user interaction, as a victim must open a malicious file. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Affected Product
Adobe Indesign
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
CWE Classification
CWE-476
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.