Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
AnalysisAI
Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive files and directories outside the application's intended access scope by convincing a victim to open a specially crafted malicious file. The changed scope (S:C) in the CVSS vector confirms the impact extends beyond Dreamweaver's own security context - read access can reach OS-level files, credentials, or configuration data. No public exploit has been identified and this vulnerability is not listed in CISA KEV, placing it in a targeted rather than opportunistic threat profile.
Technical ContextAI
The root cause is CWE-20 (Improper Input Validation), meaning Dreamweaver Desktop fails to adequately validate or sanitize input from a file it parses, enabling path traversal or out-of-bounds file read access. The affected component is identified by CPE cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:*, covering all versions through 21.7. The CVSS scope change indicator (S:C) is technically significant: it means the vulnerability allows the attacker's payload to escape the Dreamweaver process boundary and access file system resources that Dreamweaver would not ordinarily be authorized to read. This is characteristic of improper sanitization of file paths or project-definition inputs within the application's file-loading or parsing subsystem.
RemediationAI
Apply the vendor-released patch per Adobe security bulletin APSB26-62 at https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html. The advisory confirms a fix is available; however, the exact patched version number was not independently confirmed from available input data - consult APSB26-62 directly for the confirmed fix version number. As a compensating control prior to patching, users should be instructed not to open Dreamweaver project files received from untrusted or unverified sources, as user interaction is the required attack enabler. Organizations can enforce file origin policies or application-layer controls (e.g., blocking opening of Dreamweaver project files from email attachments or untrusted download directories) to reduce exposure. These controls reduce the social engineering attack surface but do not eliminate the underlying vulnerability in the application.
More in Dreamweaver Desktop
View allArbitrary file system read in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to access sensitive f
Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bun
Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the cont
Incorrect Authorization in Adobe Dreamweaver Desktop 21.7 and earlier enables arbitrary file system reads beyond the app
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35806
GHSA-4v5c-8h8p-7gh3