CVE-2026-21267
Published: 13 January 2026
Summary
CVE-2026-21267 is a high-severity OS Command Injection (CWE-78) vulnerability in Adobe Dreamweaver. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the OS command injection flaw by requiring timely patching of vulnerable Dreamweaver versions as advised by Adobe.
Provides memory protections such as DEP and ASLR to block arbitrary code execution resulting from successful command injection.
Deploys anti-malware scanning to detect and prevent malicious files or injected code exploiting the Dreamweaver vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection triggered by opening a malicious file in the vulnerable desktop application directly enables T1204.002 (Malicious File) for initial execution leading to arbitrary code execution.
NVD Description
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead in arbitrary code execution by an attacker. Exploitation of this issue requires user…
more
interaction in that a victim must open a malicious file and scope is changed.
Deeper analysisAI
CVE-2026-21267 is an OS Command Injection vulnerability (CWE-78) affecting Adobe Dreamweaver Desktop versions 21.6 and earlier. The flaw stems from improper neutralization of special elements used in an OS command, potentially allowing arbitrary code execution. It was published on 2026-01-13 with a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability when exploited.
Exploitation requires local access and user interaction, specifically a victim opening a malicious file. No privileges are required on the part of the attacker (PR:N), and attack complexity is low (AC:L). Successful exploitation changes scope (S:C) and enables arbitrary code execution on the victim's system, potentially granting attackers full control over the affected Dreamweaver instance and underlying OS resources.
The primary advisory from Adobe, available at https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html (APSB26-01), details mitigation steps, including applying the available patches to update Dreamweaver to a fixed version beyond 21.6. Security practitioners should prioritize updating affected installations and advise users against opening untrusted files in vulnerable versions.
Details
- CWE(s)