Skip to main content

Dreamweaver Desktop EUVDEUVD-2026-35806

| CVE-2026-47909 MEDIUM
Improper Input Validation (CWE-20)
2026-06-09 adobe GHSA-4v5c-8h8p-7gh3
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 20:19 vuln.today

DescriptionNVD

Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

AnalysisAI

Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive files and directories outside the application's intended access scope by convincing a victim to open a specially crafted malicious file. The changed scope (S:C) in the CVSS vector confirms the impact extends beyond Dreamweaver's own security context - read access can reach OS-level files, credentials, or configuration data. No public exploit has been identified and this vulnerability is not listed in CISA KEV, placing it in a targeted rather than opportunistic threat profile.

Technical ContextAI

The root cause is CWE-20 (Improper Input Validation), meaning Dreamweaver Desktop fails to adequately validate or sanitize input from a file it parses, enabling path traversal or out-of-bounds file read access. The affected component is identified by CPE cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:*, covering all versions through 21.7. The CVSS scope change indicator (S:C) is technically significant: it means the vulnerability allows the attacker's payload to escape the Dreamweaver process boundary and access file system resources that Dreamweaver would not ordinarily be authorized to read. This is characteristic of improper sanitization of file paths or project-definition inputs within the application's file-loading or parsing subsystem.

RemediationAI

Apply the vendor-released patch per Adobe security bulletin APSB26-62 at https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html. The advisory confirms a fix is available; however, the exact patched version number was not independently confirmed from available input data - consult APSB26-62 directly for the confirmed fix version number. As a compensating control prior to patching, users should be instructed not to open Dreamweaver project files received from untrusted or unverified sources, as user interaction is the required attack enabler. Organizations can enforce file origin policies or application-layer controls (e.g., blocking opening of Dreamweaver project files from email attachments or untrusted download directories) to reduce exposure. These controls reduce the social engineering attack surface but do not eliminate the underlying vulnerability in the application.

Share

EUVD-2026-35806 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy