Description
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Published: 2026-01-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Patch
AI Analysis

Impact

This vulnerability is an OS command injection in Adobe Dreamweaver Desktop versions 21.6 and earlier. When a user opens a specially crafted file, the application fails to neutralize special elements, allowing an attacker to inject arbitrary shell commands. The weakness is classified as CWE‑78 and can lead to code execution on the host machine.

Affected Systems

Adobe Dreamweaver Desktop versions 21.6 and earlier running on Windows and macOS are affected, as indicated by the listed CPE identifiers for those operating systems.

Risk and Exploitability

The CVSS score of 8.6 signals high severity, while the EPSS score below 1% indicates a low likelihood of exploitation in the wild at present. The vulnerability is not yet included in the CISA KEV catalog. Exploitation requires user interaction – the victim must open a malicious file – so it is most likely to be utilized via social engineering or phishing attacks that distribute tailored Dreamweaver documents. If an attacker can coerce a user into opening such a file, they could execute arbitrary commands with the rights of that user.

Generated by OpenCVE AI on April 18, 2026 at 06:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Dreamweaver Desktop update that removes the OS command injection flaw.
  • Limit file opening permissions so that only trusted users can open documents in the application or require additional authentication before opening files.
  • Monitor system logs for unexpected command execution or creation of new processes by Dreamweaver and investigate any anomalies promptly.

Generated by OpenCVE AI on April 18, 2026 at 06:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Microsoft
Microsoft windows
CPEs cpe:2.3:a:adobe:dreamweaver:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Microsoft
Microsoft windows

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe dreamweaver
Vendors & Products Adobe
Adobe dreamweaver

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Description Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Title Dreamweaver Desktop | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Dreamweaver
Apple Macos
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-02-26T15:04:16.463Z

Reserved: 2025-12-12T22:01:18.187Z

Link: CVE-2026-21267

cve-icon Vulnrichment

Updated: 2026-01-13T18:42:27.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T19:16:24.213

Modified: 2026-01-14T20:51:15.670

Link: CVE-2026-21267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses