CVE-2025-47099: 
Adobe InCopy vulnerability analysis and mitigation

Adobe InCopy versions 20.3, 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability identified as CVE-2025-47099. The vulnerability was disclosed on July 8, 2025, and was reported through Adobe's private bug bounty program. The affected systems include both Windows and macOS operating systems running the specified versions of InCopy (NVD, CVE).

The vulnerability is classified as a Heap-based Buffer Overflow (CWE-122) with a CVSS v3.1 Base Score of 7.8 (HIGH). The vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability (NVD).

If successfully exploited, this vulnerability could result in arbitrary code execution in the context of the current user. The high CVSS score indicates significant potential impact on system security, affecting confidentiality, integrity, and availability of the system (NVD).

Adobe has addressed this vulnerability through security updates. Users are advised to update their InCopy installations to versions newer than 20.3 for the 20.x series or newer than 19.5.3 for the 19.x series (Adobe Advisory).