Skip to main content

Dreamweaver Desktop CVE-2026-47910

| EUVDEUVD-2026-35805 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-09 adobe GHSA-4pfm-pggq-vxqq
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 20:19 vuln.today

DescriptionNVD

Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Incorrect Authorization in Adobe Dreamweaver Desktop 21.7 and earlier enables arbitrary file system reads beyond the application's intended access scope when a victim opens a specially crafted malicious file. The vulnerability (CWE-863) results in a scope change - meaning access to files outside the component's normal boundary is achieved - with high confidentiality impact and no integrity or availability loss. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis, but the high confidentiality impact and low attack complexity make it a meaningful risk for environments where users routinely open externally sourced project files.

Technical ContextAI

Adobe Dreamweaver Desktop is a professional web and application development IDE that processes complex project files, templates, and site configurations. CWE-863 (Incorrect Authorization) indicates the application fails to properly enforce authorization checks when resolving or reading file system paths during the processing of user-supplied or externally crafted files - it does not correctly verify that the requested resource falls within the permitted access scope. The CVSS Scope:Changed (S:C) component is technically significant: the vulnerability's impact crosses the security boundary of the application itself, allowing reads from areas of the file system the application should not normally be able to access. The CPE string cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:* confirms all platform variants of the desktop edition are affected through version 21.7. The 'Authentication Bypass' tag in the intelligence data aligns with the PR:N CVSS component - the attacker does not need to authenticate to the application to trigger the flaw.

RemediationAI

The primary remediation is to upgrade Adobe Dreamweaver Desktop to a version beyond 21.7 per the vendor advisory APSB26-62 at https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html. Note that the exact fixed version number is not independently confirmed from the available input data - consult the advisory directly for the specific patched release. If immediate patching is not feasible, the most effective compensating control is to restrict opening of Dreamweaver project files or site definitions received from untrusted or external sources, as exploitation requires a victim to open a malicious file. Applying OS-level read restrictions (e.g., AppLocker, SELinux policies, or macOS sandbox profiles) to limit Dreamweaver's file system access scope could reduce the blast radius of exploitation, though this may interfere with legitimate Dreamweaver functionality. Educating Dreamweaver users about the risk of opening unsolicited project files - particularly from email attachments, file-sharing platforms, or unverified repositories - is a meaningful interim control given the required user interaction.

Share

CVE-2026-47910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy