CVE Daily Report: Adobe Acrobat Reader Prototype Pollution Flaw (CVSS 9.6) Among Critical Threats

A critical vulnerability in Adobe Acrobat Reader, rated a maximum severity 9.6 on the CVSS scale, headlines today's threat landscape. The flaw, tracked as CVE-2026-34621, is an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') issue affecting versions 24.001.30356, 26.001.21367 and earlier. While its EPSS (Exploit Prediction Scoring System) score is currently a low 0.24%, the maximum severity rating signals a deep-seated weakness that could allow attackers to manipulate application behavior in dangerous ways. The report notes zero new CVEs were published in the last 24 hours, making these existing critical flaws the primary focus for security teams.

Alongside the Adobe threat, a second critical vulnerability, CVE-2026-31845, targets Rukovoditel CRM version 3.6.4 and earlier. This flaw, a reflected cross-site scripting (XSS) vulnerability in the Zadarma telephony API endpoint, also carries a high CVSS score of 9.3 under the newer CVSSv4 standard. The application's direct reflection of user input without proper sanitization creates a clear attack vector. Neither of these critical vulnerabilities is currently listed on the CISA Known Exploited Vulnerabilities catalog, but their public disclosure places immediate pressure on administrators of affected systems.

The concentration of risk in widely deployed software like Adobe Acrobat Reader and business-critical CRM platforms underscores a persistent challenge. Security operations must prioritize patching these specific versions, as the high CVSS scores indicate a significant potential impact if exploited. The absence of new CVEs offers a brief window to address these known, severe issues before the next wave of disclosures potentially overwhelms defensive resources.