MEDIUM 6.3

CVE-2026-47909: Dreamweaver Arbitrary File Read via Input Validation Flaw

Dreamweaver Desktop versions 21.7 and earlier contain a flaw that allows attackers to read files from your computer that they shouldn't be able to access. The vulnerability requires social engineering—an attacker must trick you into opening a malicious file. Once opened, the attacker gains read access to sensitive data outside the application's normal boundaries. This is a local attack that doesn't require special permissions, but it does depend on user action.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47909 is an improper input validation vulnerability (CWE-20) in Adobe Dreamweaver Desktop affecting versions 21.7 and earlier on Windows and macOS. The flaw allows unauthenticated local attackers to read arbitrary files from the host system by crafting a malicious file that, when opened by a victim in Dreamweaver, bypasses input validation controls. The vulnerability results in a scope change (CWE-20 with elevated impact), meaning the attacker can access resources beyond what the application normally protects. The attack vector is local (AV:L), requires no special privileges (PR:N), has low complexity (AC:L), and necessitates user interaction (UI:R) to open the malicious file.

Business impact

This vulnerability poses a confidentiality risk to organizations using Dreamweaver Desktop for web development. Attackers can harvest sensitive information—source code, configuration files, API keys, credentials stored in the user's home directory, or other intellectual property—by distributing malicious files via phishing, watering hole, or supply-chain-adjacent methods. The attack does not enable file modification or system destruction, but the disclosure of sensitive design or business data can lead to competitive harm, compliance violations, or secondary attacks. Teams relying on Dreamweaver for client projects face additional risk if they handle third-party files from untrusted sources.

Affected systems

Adobe Dreamweaver Desktop versions 21.7 and earlier running on Windows or macOS are affected. The vulnerability is local-attack only, so exposure is limited to users who actually run the vulnerable software and interact with attacker-controlled files. Developers, web designers, and creative teams using Dreamweaver in these versions are at risk. Later versions of Dreamweaver (above 21.7) are not affected, provided they contain the necessary input validation fixes.

Exploitability

Exploitability is moderate. The attack requires user interaction—the victim must be persuaded to open a malicious file in Dreamweaver. There is no network component, no privilege escalation needed, and the attacker needs no prior access. However, successful exploitation depends on social engineering effectiveness. The file must be crafted to trigger the input validation bypass without raising user suspicion. The CVSS score of 6.3 (MEDIUM) reflects this balance: high confidentiality impact but user-interaction dependency and local scope. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting it has not yet been weaponized in widespread attacks, though this does not guarantee immunity.

Remediation

Users and administrators should update Dreamweaver Desktop to a version later than 21.7 as soon as vendor patches are available. Adobe has not yet published specific patch versions in the provided advisories, so verify the latest available release through the official Adobe website or the Creative Cloud application. Until patched, organizations should restrict file-opening workflows: implement controls to prevent users from opening files from untrusted sources in Dreamweaver, and educate teams on the risks of opening unsolicited project files or archives. Consider using application sandboxing or execution controls on development machines to limit file system access.

Patch guidance

Monitor Adobe's security advisories for release of patched Dreamweaver Desktop versions. Updates above version 21.7 should address the input validation flaw. Deploy patches via Adobe Creative Cloud's automatic update mechanism or through manual downloads from Adobe's official site. Verify patch status by checking the version number in Dreamweaver's About dialog (typically Help > About Dreamweaver). Test patched versions in a non-production environment before full rollout to ensure compatibility with active projects and plugins. Maintain an inventory of Dreamweaver installations across your organization to track remediation progress.

Detection guidance

Monitor file-opening activity in Dreamweaver through endpoint detection and response (EDR) tools. Look for unusual file access patterns—particularly reads of sensitive system directories or home directory contents—correlated with Dreamweaver process execution. File integrity monitoring can flag unexpected access to .env files, API key stores, or source code repositories. Network-based detection is limited since this is a local attack, but email and file-transfer monitoring can identify delivery of suspicious project files. Educate developers to report unusual behavior when opening files in Dreamweaver (unexpected file dialogs, sluggish performance, or access permission prompts). Log and audit which files are opened in Dreamweaver on sensitive systems.

Why prioritize this

This vulnerability merits timely but not emergency patching. The MEDIUM CVSS score (6.3) and user-interaction requirement prevent it from being critical, but the high confidentiality impact and the fact that source code and credentials are routine targets make it a priority for development teams. The lack of KEV designation suggests no active exploitation in the wild currently, but exploitation is technically feasible. Prioritize patching for Dreamweaver instances that handle proprietary code, client projects, or systems where developers store credentials in accessible locations. Standard enterprise patch cycles (within 30 days) are appropriate; accelerate to 2–3 weeks for high-value development environments.

Risk score, explained

The CVSS v3.1 score of 6.3 (MEDIUM) is driven by: (1) High confidentiality impact (C:H)—unrestricted file read access; (2) No integrity or availability impact (I:N/A:N)—files are not modified or deleted; (3) Local attack vector (AV:L)—attacker must already have system access or trick the user into opening a file; (4) Required user interaction (UI:R)—victim must open the malicious file; (5) Low attack complexity (AC:L)—no special conditions needed; (6) No privilege requirement (PR:N); (7) Changed scope (S:C)—impact extends beyond the Dreamweaver security boundary. The user-interaction requirement prevents a higher score despite the high confidentiality impact.

Frequently asked questions

Does this affect Dreamweaver versions after 21.7?

No, this vulnerability specifically affects Dreamweaver Desktop version 21.7 and earlier. Versions released after 21.7 include the necessary input validation fixes. Always verify your version in Help > About Dreamweaver and update if you are on 21.7 or below.

Can this vulnerability be exploited remotely or only locally?

This is a local-only attack. The attacker cannot exploit it over the network; they must first trick the victim into opening a malicious file on the same computer where Dreamweaver is installed. Phishing, file sharing, or compromised downloads are typical delivery methods.

What kinds of files could be used to exploit this?

Any file type that Dreamweaver can open or process could potentially be crafted to trigger the vulnerability—such as .html, .xml, .psd, or custom project files. Attackers would likely disguise the file as a legitimate project or design asset. Do not open unsolicited design files or project folders from untrusted sources.

Is this vulnerability being actively exploited?

As of the latest data, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed widespread active exploitation in the wild. However, this does not guarantee the vulnerability will not be exploited in the future, so timely patching remains important.

This analysis is provided for informational purposes and reflects the state of publicly available vulnerability data as of the publication date. SEC.co does not guarantee the completeness or real-time accuracy of threat intelligence. Patch versions, availability timelines, and vendor advisories should be verified directly with Adobe's official security bulletins. Organizations should conduct their own risk assessments based on their specific deployment, data sensitivity, and compliance requirements. No exploit code or step-by-step attack instructions are provided in this analysis. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).