CVE-2026-21268 - Vulnerability Details

- Dreamweaver Desktop | Improper Input Validation (CWE-20)

Description

Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.

Published: 2026-01-13

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dreamweaver Desktop versions 21.6 and earlier contain an improper input validation flaw whose exploitation can result in arbitrary code execution in the context of the user who opens a malicious file. The flaw arises when Dreamweaver processes a crafted file and does not adequately check the input before executing script or code embedded within that file. Attackers can inject malicious payloads that run with the privileges of the user, potentially compromising the system and any data accessed by that user.

Affected Systems

Adobe's Dreamweaver Desktop, across Windows and macOS platforms, is affected. The vulnerability applies to all installations running version 21.6 or older, regardless of operating system. Additional systems that use the application for development or publishing work may also be impacted if they load untrusted content into the editor.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity, while the EPSS score of less than 1% suggests that, so far, exploitation attempts are rare. However, the vulnerability is listed as not in the KEV catalog, meaning no known widespread attacks have been reported yet. Exploitation requires user interaction: a victim must open a malicious Dreamweaver file, so foreknowledge and precautions around file handling can mitigate risk. In environments where users routinely open third‑party files, the risk is elevated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Dreamweaver Desktop

affected

Version	Status	Constraints
`0`	affected	≤ 21.6

Configuration 1 [-]

AND

cpe:2.3:a:adobe:dreamweaver:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor	Product	Confidence	Versions
Adobe	Dreamweaver	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check Adobe's security update portal for a patch that addresses the improper input validation issue and apply it immediately once available.
Restrict the ability of end users to open or execute unknown or suspicious files in Dreamweaver by disabling automatic file opening or requiring manual verification before loading content.
Employ application whitelisting or file integrity monitoring to prevent the execution of unauthorized code that may be injected into Dreamweaver files.
Ensure that operating systems and antivirus/endpoint detection and response tools are kept up to date to detect malicious scripts embedded in document files.

Generated by OpenCVE AI on April 18, 2026 at 06:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00067.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html

History

Wed, 14 Jan 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:dreamweaver:::::::: cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Apple Apple macos Microsoft Microsoft windows

Wed, 14 Jan 2026 11:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe dreamweaver
Vendors & Products		Adobe Adobe dreamweaver

Tue, 13 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Title		Dreamweaver Desktop \| Improper Input Validation (CWE-20)
Weaknesses		CWE-20
References		https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Adobe Dreamweaver

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-01-13T18:25:34.136Z

Updated: 2026-02-26T15:04:17.742Z

Reserved: 2025-12-12T22:01:18.187Z

Link: CVE-2026-21268

Vulnrichment

Updated: 2026-01-13T18:48:04.812Z

NVD

Status : Analyzed

Published: 2026-01-13T19:16:24.383

Modified: 2026-01-14T20:50:52.847

Link: CVE-2026-21268

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T06:45:23Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object