Skip to main content

Adobe Dreamweaver EUVDEUVD-2026-35803

| CVE-2026-47906 HIGH
Dependency on Vulnerable Third-Party Component (CWE-1395)
2026-06-09 adobe GHSA-2c25-6vf9-jx44
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 20:07 vuln.today

DescriptionNVD

Dreamweaver Desktop versions 21.7 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bundled with the application, allowing an attacker to run code in the context of the user who opens a malicious file. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the changed-scope CVSS of 8.6 reflects the potential for the embedded component flaw to break out of Dreamweaver's security boundary.

Technical ContextAI

Dreamweaver Desktop is Adobe's WYSIWYG web authoring tool, which bundles numerous third-party libraries to handle rendering, parsing, and project file formats. CWE-1395 (Dependency on Vulnerable Third-Party Component) indicates the root cause is an unpatched upstream library shipped inside the Dreamweaver installer rather than a flaw in Adobe's own code. The CPE string cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:* with the 21.7-and-earlier constraint confirms all currently shipping desktop builds are in scope; Adobe has not publicly named which embedded component is vulnerable in APSB26-62.

RemediationAI

Upgrade Dreamweaver Desktop to the fixed release identified in Adobe Security Bulletin APSB26-62 (https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html) - patch available per vendor advisory, with the exact fixed version listed in that bulletin. Until the update is deployed, instruct users not to open Dreamweaver project files, templates, or assets received from untrusted senders or downloaded from the web, and consider application allowlisting or attachment filtering for Dreamweaver-associated file extensions on endpoints used by design and web-development staff; the trade-off is friction for collaborators who legitimately share project files. Where feasible, restrict Dreamweaver execution to non-privileged user accounts so the changed-scope impact is contained to a least-privileged context.

Share

EUVD-2026-35803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy