CVE-2026-21267
OS Command Injection in Adobe Dreamweaver Desktop Allows Code Execution
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | dreamweaver | to 21.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Dreamweaver Desktop versions 21.6 and earlier is an OS Command Injection flaw caused by improper neutralization of special elements. It allows an attacker to execute arbitrary code on the victim's system if the victim opens a malicious file, changing the scope and enabling the attack.
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary code execution with high impact on confidentiality, integrity, and availability. An attacker could potentially take control of the affected system, leading to data compromise, system manipulation, or denial of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Dreamweaver Desktop to a version later than 21.6 where the issue is fixed. Additionally, avoid opening files from untrusted sources to prevent exploitation requiring user interaction.