VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

CVE-2026-48294

CVE-2026-48294

Description

Adobe Acrobat PDF Extension for Chrome versions ≤26.5.2.2 has a UXSS vulnerability allowing cross-origin session data disclosure via user interaction.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Adobe Acrobat PDF Extension for Chrome versions ≤26.5.2.2 has a UXSS vulnerability allowing cross-origin session data disclosure via user interaction.

Vulnerability

Adobe Acrobat PDF Extension for Chrome, versions 26.5.2.2 and earlier, contains a Universal Cross-Site Scripting (UXSS) vulnerability that leads to cross-origin data disclosure. The vulnerability exists in the extension's handling of cross-origin requests, allowing a malicious website to bypass same-origin policy restrictions. Affected versions include all builds up to 26.5.2.2 [1].

Exploitation

Exploitation requires user interaction: the victim must visit a maliciously crafted URL or interact with a compromised web page while the extension is active. An attacker can then leverage the UXSS flaw to execute JavaScript in the context of arbitrary origins, enabling data access across different sites.

Impact

Successful exploitation allows the attacker to gain access to data regarding the victim's session, such as cookies, tokens, or other sensitive information from other origins. The scope is changed, meaning the attacker can impact resources beyond the vulnerable component.

Mitigation

As of the publication date (2026-06-16), a fix has not been disclosed. Users should update to a patched version once available. The extension is available on the Chrome Web Store [1]; users can monitor for updates there. No workaround is provided in the available references.

References
  1. Adobe Acrobat: PDF edit, convert, sign tools - Chrome Web Store

AI Insight generated on Jun 17, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.