Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Dreamweaver Desktop versions 21.7 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
AnalysisAI
Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the context of the current user when a victim opens a malicious file. The flaw stems from access of an uninitialized pointer (CWE-824) and is tracked under Adobe advisory APSB26-62. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Adobe Dreamweaver Desktop is a commercial WYSIWYG web authoring application that parses a variety of project, markup, and asset file formats on the client side. The root cause is CWE-824 (Access of Uninitialized Pointer), a memory-safety defect in which the application dereferences a pointer that was never assigned a valid value, typically because an initialization path was skipped during file parsing. When the uninitialized pointer happens to hold attacker-influenced data, dereferencing it can be turned into a controlled write or jump primitive, leading to arbitrary code execution in the process. The affected CPE is cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:* covering Dreamweaver Desktop builds up to and including 21.7.
RemediationAI
Apply the fixed Dreamweaver Desktop release published by Adobe in security bulletin APSB26-62 (https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html); the bulletin lists the exact patched build number and channel, and the advisory should be used as the source of truth since a specific fix version is not enumerated in this intelligence beyond 'after 21.7.' Until update deployment, instruct users not to open Dreamweaver project files, templates, or assets received from untrusted sources (email attachments, downloads, shared drives) and prefer opening such files in a sandboxed VM, accepting the productivity trade-off of slower review workflows. Application-level controls such as removing Dreamweaver from systems that do not need it and enforcing OS-level exploit mitigations (Windows Exploit Protection / macOS Gatekeeper and Hardened Runtime) reduce residual risk but do not substitute for the vendor patch.
More in Dreamweaver Desktop
View allArbitrary file system read in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to access sensitive f
Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bun
Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive fil
Incorrect Authorization in Adobe Dreamweaver Desktop 21.7 and earlier enables arbitrary file system reads beyond the app
Same weakness CWE-824 – Access of Uninitialized Pointer
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35802
GHSA-rrmh-w6hx-2f5g