Unrated severityNVD Advisory· Published Mar 13, 2015· Updated May 6, 2026

CVE-2015-0337

Description

Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows remote attackers to bypass the Same Origin Policy via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Flash Player before 13.0.0.277, 14.x-17.x before 17.0.0.134, and 11.2.x before 11.2.202.451 allows Same Origin Policy bypass via unspecified vectors.

Vulnerability

Adobe Flash Player versions prior to 13.0.0.277 on Windows and OS X, versions 14.x through 17.x prior to 17.0.0.134 on Windows and OS X, and versions prior to 11.2.202.451 on Linux are affected by a vulnerability that allows remote attackers to bypass the Same Origin Policy. The issue exists due to unspecified vectors in the Flash Player. [1][2]

Exploitation

An attacker can trigger this vulnerability by enticing a user to open a specially crafted Flash file (SWF). The attacker does not require any authentication or local access; the attack is carried out remotely by delivering the malicious content via a website or other network-based means. The exact steps are not detailed in available references, but the attack vector is through a crafted Flash file that causes the player to violate the same-origin policy. [1][2]

Impact

Successful exploitation allows the attacker to bypass the Same Origin Policy, which can lead to data theft, cross-site scripting, or other information disclosure. The attacker may gain access to data from other origins (domains) that would normally be restricted, potentially compromising user sessions or sensitive information. The privilege level obtained is that of the user running the Flash Player, typically within the browser sandbox. [1][2]

Mitigation

Adobe has released updates for Flash Player: version 13.0.0.277 (Windows/OS X), 17.0.0.134 (Windows/OS X), and 11.2.202.451 (Linux). Users should update to the latest versions immediately. Red Hat and Gentoo have provided updated packages [1][2]. No workaround is available for this vulnerability. The flaw is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Adobe Inc./Flashplayer17 versions
cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*+ 16 more
- cpe:2.3:a:adobe:flash_player:*:*:*:*:*:*:*:*range: <=11.2.202.442
- cpe:2.3:a:adobe:flash_player:14.0.0.125:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.145:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.176:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:14.0.0.179:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.152:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.167:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.189:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.223:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.239:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:15.0.0.246:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.235:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.257:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.287:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.296:*:*:*:*:*:*:*
- cpe:2.3:a:adobe:flash_player:16.0.0.305:*:*:*:*:*:*:*
- (no CPE)range: <13.0.0.277 || (>=14.0 <17.0.0.134) || <11.2.202.451
osv-coords2 versions
pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Desktop%2012 pkg:rpm/suse/flash-player&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012
< 11.2.202.451-77.1+ 1 more
- (no CPE)range: < 11.2.202.451-77.1
- (no CPE)range: < 11.2.202.451-77.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000