Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Local file open by user (AV:L, UI:R, PR:N); only arbitrary read is supported, so C:H but I:N/A:N; scope change because reads cross the application's intended access boundary.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionNVD
Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
AnalysisAI
Arbitrary file system read in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to access sensitive files outside the intended scope when a victim opens a crafted malicious file. The flaw stems from improper access control (CWE-284) and carries a CVSS 3.1 base score of 8.6 due to scope change, but no public exploit identified at time of analysis and EPSS is only 0.03% (8th percentile).
Technical ContextAI
Dreamweaver Desktop is Adobe's web authoring and HTML/CSS/JavaScript editor, identified by CPE cpe:2.3:a:adobe:dreamweaver_desktop. The root cause is CWE-284 (Improper Access Control), where the application fails to correctly enforce boundaries around which files and directories an opened project or document may reference, allowing a maliciously crafted file to coerce the application into reading resources outside its intended sandbox. The CVSS scope change (S:C) indicates that exploitation in the Dreamweaver process boundary can affect resources managed by a different security authority - in this case the host file system beyond the application's expected access scope.
RemediationAI
Upgrade Dreamweaver Desktop to the fixed version published in Adobe security bulletin APSB26-62 (https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html); patch available per vendor advisory, with the exact fixed build to be taken directly from that bulletin. Until patching is complete, instruct users not to open Dreamweaver project files, site definitions, or templates received from untrusted sources or downloaded from the web, since exploitation hinges on the victim opening a malicious file. As compensating controls, restrict Dreamweaver to run under user accounts without access to sensitive directories (so any arbitrary read is bounded by OS file permissions) and consider blocking Dreamweaver-associated file types at the email gateway for high-risk users - trade-off is some friction for legitimate collaboration on shared web projects.
More in Dreamweaver Desktop
View allArbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bun
Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the cont
Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive fil
Incorrect Authorization in Adobe Dreamweaver Desktop 21.7 and earlier enables arbitrary file system reads beyond the app
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35804
GHSA-5wmq-h34r-hmrf