CVE-2026-34621 appears across three items with varying characterizations: one describes it as a prototype pollution vulnerability (CVSS 8.8, CISA KEV, remediation deadline April 27, 2026), while another describes a sandbox-bypass zero-day chain (CVSS 9.5, active exploitation confirmed since at least December 2025) and a third confirms an emergency out-of-band patch under APSB26-43. All three converge on the same CVE ID and the same Adobe Security Bulletin (APSB26-43); analysts should validate the authoritative CVSS vector and CWE classification directly against APSB26-43 and the NVD entry before finalizing severity. Regardless of characterization, active exploitation is confirmed, a CISA KEV deadline of April 27 applies, and patching is mandatory with no available workaround. Immediate action: patch all endpoints running Acrobat DC/Reader DC (versions 26.001.21367 and earlier) and Acrobat 2024 (versions 24.001.30356 and earlier) to the fixed releases per APSB26-43, and monitor for anomalous child processes spawned from Acrobat or Reader process trees.