CVE-2026-21267 – This CVE describes an OS command injection vuln... (How to Fix)

Q: What is the severity of CVE-2026-21267?

CVE-2026-21267 has a CVSS score of 8.6 (HIGH). This CVE describes an OS command injection vulnerability in Adobe Dreamweaver Desktop versions 21.6 and earlier. Attackers can execute arbitrary code by tricking users into opening malicious files. This affects all users running vulnerable versions of Dreamweaver.

📋 TL;DR

This CVE describes an OS command injection vulnerability in Adobe Dreamweaver Desktop versions 21.6 and earlier. Attackers can execute arbitrary code by tricking users into opening malicious files. This affects all users running vulnerable versions of Dreamweaver.

💻 Affected Systems

Products:

Adobe Dreamweaver Desktop

Versions: 21.6 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. Requires user to open a malicious file.

📦 What is this software?

Dreamweaver by Adobe

View all CVEs affecting Dreamweaver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running Dreamweaver, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or malware execution within the user context, potentially stealing sensitive project files or credentials.

🟢

If Mitigated

No impact if users don't open untrusted files and proper endpoint security controls are in place.

🌐 Internet-Facing: LOW - Exploitation requires user interaction with malicious files, not directly internet-exposed.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening malicious file). No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.7 or later

Vendor Advisory: https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html

Restart Required: Yes

Instructions:

1. Open Adobe Creative Cloud application. 2. Navigate to 'Apps' section. 3. Find Dreamweaver and click 'Update'. 4. Wait for update to complete. 5. Restart Dreamweaver.

🔧 Temporary Workarounds

Restrict file opening

all

Configure Dreamweaver to only open trusted files from known sources

Run with reduced privileges

windows

Run Dreamweaver with limited user account privileges to reduce impact

🧯 If You Can't Patch

Disable Dreamweaver until patched and use alternative web development tools
Implement application whitelisting to prevent Dreamweaver execution

🔍 How to Verify

Check if Vulnerable:

Check Dreamweaver version via Help > About Dreamweaver. If version is 21.6 or earlier, system is vulnerable.

Check Version:

On Windows: Check via Creative Cloud app or Help > About. On macOS: Dreamweaver > About Dreamweaver

Verify Fix Applied:

Verify Dreamweaver version is 21.7 or later via Help > About Dreamweaver.

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from Dreamweaver
Suspicious command-line arguments in Dreamweaver processes

Network Indicators:

Unexpected outbound connections from Dreamweaver process

SIEM Query:

process_name:"dreamweaver.exe" AND (process_command_line:*cmd* OR process_command_line:*powershell* OR process_command_line:*bash*)

📊 Metadata

CVE ID: CVE-2026-21267

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.03% exploit probability (8.7th percentile)

Published: January 13, 2026

Last Updated: January 14, 2026

🔗 References

https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21267, you might also want to check these: