How is CVE-2026-48294 exploited?

Network reachability (required): The attacker delivers the exploit over the network; the victim must be able to reach a maliciously crafted URL or a compromised web page hosted on an external or internal network endpoint. Authentication (not-required): No account or credential of any kind is required; any anonymous party who can lure the victim to the malicious page can attempt exploitation. Victim interaction (required): The victim must actively visit a maliciously crafted URL or interact with a compromised web page, making social engineering a necessary step in the attack chain. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions beyond victim interaction.

What is the impact of CVE-2026-48294?

Reads cross-origin browser session data, including cookies, tokens, and page content from sites the victim has open, bypassing the same-origin policy. Gains access to authenticated session context from third-party origins, enabling session hijacking or credential harvesting without direct credential theft. Confidentiality impact is high; integrity and availability are unaffected, so the attacker observes data but does not modify or destroy it.

Back to search

HIGHCVE-2026-48294Published 2026-06-16Modified 2026-06-16CNA adobe

CVE-2026-48294: Adobe Acrobat PDF Extension (Chrome) versions 26

Adobe Acrobat PDF Extension (Chrome) versions 26.5.2.2 and earlier are affected by a UXSS-class cross-origin data disclosure vulnerability. An attacker could exploit this vulnerability to gain access to data regarding the victim's session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A Universal Cross-Site Scripting (UXSS) vulnerability affects the Adobe Acrobat PDF Extension for Chrome versions 26.5.2.2 and earlier. The flaw is reachable over the network without authentication, but requires the victim to visit a maliciously crafted URL or interact with a compromised web page. Successful exploitation allows an attacker to read cross-origin session data from the victim's browser, crossing the browser's same-origin security boundary. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild as soon as an upstream fix is available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected extension.

Available

Triage

HarborGuard scores this CVE at 7.4 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy before routing findings to the appropriate team inbox within the customer org.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe ships a remediated release. In the meantime, customers can apply compensating controls such as network-policy isolation or browser-extension allowlist enforcement through HarborGuard's policy configuration.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network; the victim must be able to reach a maliciously crafted URL or a compromised web page hosted on an external or internal network endpoint.
AuthenticationNot required
No account or credential of any kind is required; any anonymous party who can lure the victim to the malicious page can attempt exploitation.
Victim interactionRequired
The victim must actively visit a maliciously crafted URL or interact with a compromised web page, making social engineering a necessary step in the attack chain.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental preconditions beyond victim interaction.

Blast Radius

Reads cross-origin browser session data, including cookies, tokens, and page content from sites the victim has open, bypassing the same-origin policy.
Gains access to authenticated session context from third-party origins, enabling session hijacking or credential harvesting without direct credential theft.
Confidentiality impact is high; integrity and availability are unaffected, so the attacker observes data but does not modify or destroy it.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-48294, HarborGuard monitors the Adobe advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Adobe releases a remediated version of the Chrome extension. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While the fix is pending, HarborGuard's policy engine can flag any image or pipeline artifact that bundles the affected extension version, and customers can use network-policy isolation rules or browser-extension allowlisting as compensating controls to reduce exposure in affected environments.

See how HarborGuard automates this

Affected packages

Adobe / Adobe Acrobat PDF Extension (Chrome)
≤ 26.5.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

chromewebstore.google.com

Metrics

Get notified