Cyber Resilience

CVE-2026-21271

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0021 11.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21271 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adobe Dreamweaver. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21271 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe Dreamweaver Desktop versions 21.6 and earlier. Published on 2026-01-13, the issue carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and enables arbitrary code execution in the context of the current user when a victim opens a malicious file, with the scope changed upon exploitation.

The attack requires local access (AV:L) and low complexity (AC:L), with no privileges needed from the attacker (PR:N), but relies on user interaction (UI:R) such as opening a crafted malicious file. Successful exploitation grants attackers high-impact control over confidentiality, integrity, and availability, allowing arbitrary code execution in an elevated scope.

Adobe's security bulletin APSB26-01, available at https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html, addresses the vulnerability and provides details on patches and mitigation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…

more

open a malicious file and scope is changed.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability in client application (Dreamweaver) directly enables RCE via user opening malicious file (T1204.002), matching Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21268Same product: Adobe Dreamweaver
CVE-2026-21272Same product: Adobe Dreamweaver
CVE-2026-21274Same product: Adobe Dreamweaver
CVE-2026-21267Same product: Adobe Dreamweaver
CVE-2026-27283Same product: Apple Macos
CVE-2026-34636Same product: Apple Macos
CVE-2026-21320Same product: Apple Macos
CVE-2026-21318Same product: Apple Macos
CVE-2025-27166Same product: Apple Macos
CVE-2026-21281Same product: Apple Macos

Affected Assets

adobe
dreamweaver
≤ 21.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching as specified in Adobe's APSB26-01 bulletin.

prevent

Addresses the core improper input validation (CWE-20) flaw by enforcing validation mechanisms at file input points in Dreamweaver.

prevent

Mitigates arbitrary code execution by protecting application memory from unauthorized code injection during malicious file processing.

References