Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Dreamweaver Desktop versions 21.7 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
AnalysisAI
Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bundled with the application, allowing an attacker to run code in the context of the user who opens a malicious file. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the changed-scope CVSS of 8.6 reflects the potential for the embedded component flaw to break out of Dreamweaver's security boundary.
Technical ContextAI
Dreamweaver Desktop is Adobe's WYSIWYG web authoring tool, which bundles numerous third-party libraries to handle rendering, parsing, and project file formats. CWE-1395 (Dependency on Vulnerable Third-Party Component) indicates the root cause is an unpatched upstream library shipped inside the Dreamweaver installer rather than a flaw in Adobe's own code. The CPE string cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:* with the 21.7-and-earlier constraint confirms all currently shipping desktop builds are in scope; Adobe has not publicly named which embedded component is vulnerable in APSB26-62.
RemediationAI
Upgrade Dreamweaver Desktop to the fixed release identified in Adobe Security Bulletin APSB26-62 (https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html) - patch available per vendor advisory, with the exact fixed version listed in that bulletin. Until the update is deployed, instruct users not to open Dreamweaver project files, templates, or assets received from untrusted senders or downloaded from the web, and consider application allowlisting or attachment filtering for Dreamweaver-associated file extensions on endpoints used by design and web-development staff; the trade-off is friction for collaborators who legitimately share project files. Where feasible, restrict Dreamweaver execution to non-privileged user accounts so the changed-scope impact is contained to a least-privileged context.
More in Dreamweaver Desktop
View allArbitrary file system read in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to access sensitive f
Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the cont
Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive fil
Incorrect Authorization in Adobe Dreamweaver Desktop 21.7 and earlier enables arbitrary file system reads beyond the app
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35803
GHSA-2c25-6vf9-jx44