Share
## https://sploitus.com/exploit?id=1C29E70A-9333-52E2-AA23-2512A0D72EA8
# Adobe Reader JS Sandbox Escape โ€” POC

Proof-of-concept for three chained vulnerabilities in Adobe Acrobat/Reader on macOS,
disclosed by STAR Labs in April 2026.

## Vulnerabilities

| CVE | Description | Patched in |
|-----|-------------|------------|
| CVE-2026-34621 | Prototype pollution via collaboration login (`SilentDocCenterLogin`) | 26.001.21368 |
| CVE-2026-34622 | Eval injection via dialog button handler (`ANFancyAlertImpl`) | 26.001.21412 |
| CVE-2026-34626 | Object confusion to escalate to trusted execution context | 26.001.21412 |

**Affected:** Acrobat DC / Reader DC / Acrobat 2024 โ‰ค 26.001.21411 on macOS and Windows.
**Patches released:** April 12โ€“14, 2026.

Full write-up: https://starlabs.sg/blog/2026/04-three-bugs-walk-into-a-pdf-prototype-pollution-served-cold/

## How it works

1. `ANFancyAlertImpl` evaluates button labels unsanitized โ€” inject arbitrary JS (CVE-2026-34622)
2. Injected code pollutes `Object.prototype.swConn` to hijack `SilentDocCenterLogin` call chain (CVE-2026-34621)
3. Call chain reaches `app.trustedFunction`, promoting arbitrary function to privileged context (CVE-2026-34626)
4. Privileged function calls `app.beginPriv()` + `util.readFileIntoStream()` โ€” sandbox escaped, arbitrary file read

## Build

```bash
pip3 install pypdf
make build   # writes out/malicious-poc.pdf
make clean   # removes out/
```

Open the generated PDF with a vulnerable Reader version to trigger the exploit.

## Disclosure

Vulnerabilities reported to Adobe by EXPMON; independently analyzed and chained by STAR Labs.
This POC is released for educational and defensive purposes after patches were publicly available.