Skip to main content

Adobe Dreamweaver CVE-2026-47908

| EUVDEUVD-2026-35802 HIGH
Access of Uninitialized Pointer (CWE-824)
2026-06-09 adobe GHSA-rrmh-w6hx-2f5g
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.8
Analysis Generated
Jun 09, 2026 - 20:06 vuln.today

DescriptionNVD

Dreamweaver Desktop versions 21.7 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

AnalysisAI

Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the context of the current user when a victim opens a malicious file. The flaw stems from access of an uninitialized pointer (CWE-824) and is tracked under Adobe advisory APSB26-62. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Adobe Dreamweaver Desktop is a commercial WYSIWYG web authoring application that parses a variety of project, markup, and asset file formats on the client side. The root cause is CWE-824 (Access of Uninitialized Pointer), a memory-safety defect in which the application dereferences a pointer that was never assigned a valid value, typically because an initialization path was skipped during file parsing. When the uninitialized pointer happens to hold attacker-influenced data, dereferencing it can be turned into a controlled write or jump primitive, leading to arbitrary code execution in the process. The affected CPE is cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:* covering Dreamweaver Desktop builds up to and including 21.7.

RemediationAI

Apply the fixed Dreamweaver Desktop release published by Adobe in security bulletin APSB26-62 (https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html); the bulletin lists the exact patched build number and channel, and the advisory should be used as the source of truth since a specific fix version is not enumerated in this intelligence beyond 'after 21.7.' Until update deployment, instruct users not to open Dreamweaver project files, templates, or assets received from untrusted sources (email attachments, downloads, shared drives) and prefer opening such files in a sandboxed VM, accepting the productivity trade-off of slower review workflows. Application-level controls such as removing Dreamweaver from systems that do not need it and enforcing OS-level exploit mitigations (Windows Exploit Protection / macOS Gatekeeper and Hardened Runtime) reduce residual risk but do not substitute for the vendor patch.

Share

CVE-2026-47908 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy