Exploited CVEs / By vendor / Adobe
Adobe vulnerabilities actively exploited
79 Adobe CVEs on the CISA Known Exploited Vulnerabilities catalog, newest first. Refreshed daily.
Every CVE below is confirmed exploited in the wild, not just theoretically severe. The newest addition is CVE-2009-3459 (Acrobat and Reader, added 2026-05-20). 10 of the 79 are used in ransomware campaigns. New CISA KEV entries appear here the day they are cataloged; the freshest across all vendors are on exploited this week.
Ask your own AI about Adobe exploited CVEs
Copy this prompt into Claude, ChatGPT, or Copilot. The facts are included, sourced from this page.
Flash Player: 33 exploited CVEs
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2013-0643 | Flash Player | 2024-09-17 | CVSS 8.8, EPSS 11% |
| CVE-2013-0648 | Flash Player | 2024-09-17 | CVSS 8.8, EPSS 11% |
| CVE-2014-0497 | Flash Player | 2024-09-17 | CVSS 9.8, EPSS 100% |
| CVE-2014-0502 | Flash Player | 2024-09-17 | CVSS 8.8, EPSS 24% |
| CVE-2010-1297 | Flash Player | 2022-06-08 | CVSS 7.8, EPSS 82% |
| CVE-2011-0609 | Flash Player | 2022-06-08 | CVSS 7.8, EPSS 67% |
| CVE-2012-0754 | Flash Player | 2022-06-08 | CVSS 8.1, EPSS 92% |
| CVE-2012-0767 | Flash Player | 2022-06-08 | CVSS 6.1, EPSS 7% |
| CVE-2012-5054 | Flash Player | 2022-06-08 | CVSS 8.8, EPSS 21% |
| CVE-2014-8439 | Flash Player | 2022-05-25 | CVSS 8.8, EPSS 20% |
| CVE-2015-0310 | Flash Player | 2022-05-25 | CVSS 7.8, EPSS 15% |
| CVE-2015-8651 | Flash Player | 2022-05-25 | CVSS 8.8, EPSS 68% |
| CVE-2018-5002 | Flash Player | 2022-05-23 | CVSS 7.8, EPSS 25% |
| CVE-2014-9163 | Flash Player | 2022-04-13 | CVSS 7.8, EPSS 20% |
| CVE-2015-0311 | Flash Player | 2022-04-13 | CVSS 9.8, EPSS 86% |
| CVE-2015-0313 | Flash Player | 2022-04-13 | CVSS 9.8, EPSS 96% |
| CVE-2015-3113 | Flash Player | 2022-04-13 | CVSS 9.8, EPSS 100% |
| CVE-2015-5122 | Flash Player | 2022-04-13 | CVSS 9.8, EPSS 94% |
| CVE-2015-5123 | Flash Player | 2022-04-13 | CVSS 9.8, EPSS 18% |
| CVE-2012-2034 | Flash Player | 2022-03-28 | CVSS 7.5, EPSS 8% |
| CVE-2016-4171 | Flash Player | 2022-03-25 | CVSS 9.8, EPSS 20% |
| CVE-2016-7892 | Flash Player | 2022-03-25 | CVSS 8.8, EPSS 19% |
| CVE-2011-0611 | Flash Player | 2022-03-03 | CVSS 8.8, EPSS 99% |
| CVE-2012-1535 | Flash Player | 2022-03-03 | CVSS 7.8, EPSS 70% |
| CVE-2015-3043 | Flash Player | 2022-03-03 | CVSS 9.8, EPSS 80% |
| CVE-2015-5119 | Flash Player | 2022-03-03 | CVSS 9.8, EPSS 99% |
| CVE-2015-7645 | Flash Player | 2022-03-03 | ransomware, CVSS 7.8, EPSS 68% |
| CVE-2016-1019 | Flash Player | 2022-03-03 | ransomware, CVSS 9.8, EPSS 22% |
| CVE-2016-4117 | Flash Player | 2022-03-03 | CVSS 9.8, EPSS 94% |
| CVE-2016-7855 | Flash Player | 2022-03-03 | CVSS 8.8, EPSS 25% |
| CVE-2017-11292 | Flash Player | 2022-03-03 | CVSS 8.8, EPSS 12% |
| CVE-2018-15982 | Flash Player | 2022-02-15 | ransomware, CVSS 7.8, EPSS 82% |
| CVE-2018-4878 | Flash Player | 2021-11-03 | ransomware, CVSS 7.8, EPSS 90% |
ColdFusion: 15 exploited CVEs
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2017-3066 | ColdFusion | 2025-02-24 | CVSS 9.8, EPSS 91% |
| CVE-2024-20767 | ColdFusion | 2024-12-16 | CVSS 7.4, EPSS 99% |
| CVE-2023-29300 | ColdFusion | 2024-01-08 | ransomware, CVSS 9.8, EPSS 100% |
| CVE-2023-38203 | ColdFusion | 2024-01-08 | ransomware, CVSS 9.8, EPSS 97% |
| CVE-2023-26359 | ColdFusion | 2023-08-21 | CVSS 9.8, EPSS 18% |
| CVE-2023-29298 | ColdFusion | 2023-07-20 | CVSS 7.5, EPSS 100% |
| CVE-2023-38205 | ColdFusion | 2023-07-20 | CVSS 7.5, EPSS 100% |
| CVE-2023-26360 | ColdFusion | 2023-03-15 | CVSS 8.6, EPSS 97% |
| CVE-2010-2861 | ColdFusion | 2022-03-25 | ransomware, CVSS 9.8, EPSS 100% |
| CVE-2013-0625 | ColdFusion | 2022-03-07 | CVSS 9.8, EPSS 94% |
| CVE-2013-0629 | ColdFusion | 2022-03-07 | CVSS 7.5, EPSS 66% |
| CVE-2013-0631 | ColdFusion | 2022-03-07 | CVSS 7.5, EPSS 66% |
| CVE-2013-0632 | ColdFusion | 2022-03-03 | CVSS 9.8, EPSS 94% |
| CVE-2018-15961 | ColdFusion | 2021-11-03 | CVSS 9.8, EPSS 100% |
| CVE-2018-4939 | ColdFusion | 2021-11-03 | CVSS 9.8, EPSS 63% |
Acrobat and Reader: 13 exploited CVEs
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2009-3459 | Acrobat and Reader | 2026-05-20 | CVSS 8.8, EPSS 86% |
| CVE-2026-34621 | Acrobat and Reader | 2026-04-13 | CVSS 8.6, EPSS 7% |
| CVE-2023-21608 | Acrobat and Reader | 2023-10-10 | CVSS 7.8, EPSS 61% |
| CVE-2023-26369 | Acrobat and Reader | 2023-09-14 | CVSS 7.8, EPSS 7% |
| CVE-2007-5659 | Acrobat and Reader | 2022-06-08 | CVSS 7.8, EPSS 94% |
| CVE-2008-0655 | Acrobat and Reader | 2022-06-08 | CVSS 8.8, EPSS 37% |
| CVE-2009-3953 | Acrobat and Reader | 2022-06-08 | CVSS 8.8, EPSS 84% |
| CVE-2009-4324 | Acrobat and Reader | 2022-06-08 | CVSS 7.8, EPSS 82% |
| CVE-2010-2883 | Acrobat and Reader | 2022-06-08 | CVSS 7.3, EPSS 82% |
| CVE-2018-4990 | Acrobat and Reader | 2022-06-08 | CVSS 8.8, EPSS 41% |
| CVE-2008-2992 | Acrobat and Reader | 2022-03-03 | ransomware, CVSS 7.8, EPSS 98% |
| CVE-2021-21017 | Acrobat and Reader | 2021-11-03 | CVSS 8.8, EPSS 86% |
| CVE-2021-28550 | Acrobat and Reader | 2021-11-03 | CVSS 8.8, EPSS 52% |
Reader and Acrobat: 8 exploited CVEs
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2011-2462 | Reader and Acrobat | 2022-06-08 | CVSS 9.8, EPSS 86% |
| CVE-2014-0546 | Reader and Acrobat | 2022-05-25 | CVSS 9.8, EPSS 22% |
| CVE-2013-2729 | Reader and Acrobat | 2022-03-28 | CVSS 9.8, EPSS 67% |
| CVE-2009-0927 | Reader and Acrobat | 2022-03-25 | CVSS 8.8, EPSS 97% |
| CVE-2010-0188 | Reader and Acrobat | 2022-03-03 | ransomware, CVSS 7.8, EPSS 88% |
| CVE-2013-0640 | Reader and Acrobat | 2022-03-03 | CVSS 7.8, EPSS 87% |
| CVE-2013-3346 | Reader and Acrobat | 2022-03-03 | CVSS 9.8, EPSS 79% |
| CVE-2014-0496 | Reader and Acrobat | 2022-03-03 | CVSS 8.8, EPSS 40% |
Other Adobe products
| CVE | Product | Added to KEV | Signals |
|---|---|---|---|
| CVE-2020-9715 | Acrobat | 2026-04-13 | CVSS 7.8, EPSS 48% |
| CVE-2025-54236 | Commerce and Magento | 2025-10-24 | CVSS 9.1, EPSS 97% |
| CVE-2025-54253 | Experience Manager (AEM) Forms | 2025-10-15 | CVSS 10.0, EPSS 90% |
| CVE-2024-34102 | Commerce and Magento Open Source | 2024-07-17 | CVSS 9.8, EPSS 100% |
| CVE-2009-1862 | Acrobat and Reader, Flash Player | 2022-06-08 | CVSS 7.8, EPSS 25% |
| CVE-2016-0984 | Flash Player and AIR | 2022-05-25 | CVSS 8.8, EPSS 55% |
| CVE-2016-1010 | Flash Player and AIR | 2022-05-25 | CVSS 8.8, EPSS 20% |
| CVE-2009-3960 | BlazeDS | 2022-03-07 | ransomware, CVSS 6.5, EPSS 90% |
| CVE-2013-0641 | Reader | 2022-03-03 | CVSS 7.8, EPSS 32% |
| CVE-2022-24086 | Commerce and Magento Open Source | 2022-02-15 | CVSS 9.8, EPSS 99% |
Common questions about exploited Adobe CVEs
Which Adobe vulnerabilities are actively exploited?
As of July 2026, 79 Adobe CVEs are on the CISA Known Exploited Vulnerabilities catalog, meaning exploitation in the wild is confirmed. The most-listed products are Flash Player (33), ColdFusion (15), Acrobat and Reader (13), Reader and Acrobat (8). 10 are linked to ransomware campaigns.
What is the newest exploited Adobe CVE?
CVE-2009-3459, affecting Acrobat and Reader, added to the CISA KEV catalog on 2026-05-20. This page refreshes daily, so the newest entry is always first in the table.
How urgent are these Adobe CVEs?
KEV listing is the strongest fix-first signal there is: it means confirmed exploitation, not a prediction. Patch these ahead of higher-CVSS issues that nobody is exploiting. Check the vendor advisory (linked below) for fixed versions and workarounds.
Can I ask my own AI about exploited Adobe CVEs?
Yes. This page includes a free copy-paste AI prompt carrying the newest Adobe KEV entries, with CVSS, EPSS, and ransomware context, into Claude, ChatGPT, or Copilot. The data is refreshed daily.
Authoritative references
All vendors, searchable with due dates and CSV export: the exploited-CVE tracker. Every vendor with a page: exploited by vendor.