Skip to main content

Adobe Dreamweaver EUVDEUVD-2026-35804

| CVE-2026-47907 HIGH
Improper Access Control (CWE-284)
2026-06-09 adobe GHSA-5wmq-h34r-hmrf
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local file open by user (AV:L, UI:R, PR:N); only arbitrary read is supported, so C:H but I:N/A:N; scope change because reads cross the application's intended access boundary.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jun 23, 2026 - 22:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 23, 2026 - 22:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 23, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 23, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jun 23, 2026 - 22:22 NVD
6.3 (MEDIUM) 8.6 (HIGH)
Severity Changed
Jun 11, 2026 - 19:22 NVD
HIGH MEDIUM
CVSS changed
Jun 11, 2026 - 19:22 NVD
8.2 (HIGH) 6.3 (MEDIUM)
Severity Changed
Jun 11, 2026 - 19:22 NVD
HIGH MEDIUM
CVSS changed
Jun 11, 2026 - 19:22 NVD
8.2 (HIGH) 6.3 (MEDIUM)
Analysis Generated
Jun 09, 2026 - 20:07 vuln.today

DescriptionNVD

Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary file system read in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to access sensitive files outside the intended scope when a victim opens a crafted malicious file. The flaw stems from improper access control (CWE-284) and carries a CVSS 3.1 base score of 8.6 due to scope change, but no public exploit identified at time of analysis and EPSS is only 0.03% (8th percentile).

Technical ContextAI

Dreamweaver Desktop is Adobe's web authoring and HTML/CSS/JavaScript editor, identified by CPE cpe:2.3:a:adobe:dreamweaver_desktop. The root cause is CWE-284 (Improper Access Control), where the application fails to correctly enforce boundaries around which files and directories an opened project or document may reference, allowing a maliciously crafted file to coerce the application into reading resources outside its intended sandbox. The CVSS scope change (S:C) indicates that exploitation in the Dreamweaver process boundary can affect resources managed by a different security authority - in this case the host file system beyond the application's expected access scope.

RemediationAI

Upgrade Dreamweaver Desktop to the fixed version published in Adobe security bulletin APSB26-62 (https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html); patch available per vendor advisory, with the exact fixed build to be taken directly from that bulletin. Until patching is complete, instruct users not to open Dreamweaver project files, site definitions, or templates received from untrusted sources or downloaded from the web, since exploitation hinges on the victim opening a malicious file. As compensating controls, restrict Dreamweaver to run under user accounts without access to sensitive directories (so any arbitrary read is bounded by OS file permissions) and consider blocking Dreamweaver-associated file types at the email gateway for high-risk users - trade-off is some friction for legitimate collaboration on shared web projects.

Share

EUVD-2026-35804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy