Cyber Posture

CVE-2026-21271

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0007 20.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21271 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adobe Dreamweaver. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely remediation through patching as specified in Adobe's APSB26-01 bulletin.

SI-10 Information Input Validation good match
prevent

Addresses the core improper input validation (CWE-20) flaw by enforcing validation mechanisms at file input points in Dreamweaver.

SI-16 Memory Protection partial match
prevent

Mitigates arbitrary code execution by protecting application memory from unauthorized code injection during malicious file processing.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Vulnerability in client application (Dreamweaver) directly enables RCE via user opening malicious file (T1204.002), matching Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must…

more

open a malicious file and scope is changed.

Deeper analysisAI

CVE-2026-21271 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe Dreamweaver Desktop versions 21.6 and earlier. Published on 2026-01-13, the issue carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and enables arbitrary code execution in the context of the current user when a victim opens a malicious file, with the scope changed upon exploitation.

The attack requires local access (AV:L) and low complexity (AC:L), with no privileges needed from the attacker (PR:N), but relies on user interaction (UI:R) such as opening a crafted malicious file. Successful exploitation grants attackers high-impact control over confidentiality, integrity, and availability, allowing arbitrary code execution in an elevated scope.

Adobe's security bulletin APSB26-01, available at https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html, addresses the vulnerability and provides details on patches and mitigation steps.

Details

CWE(s)
CWE-20

Affected Products

adobe
dreamweaver
≤ 21.7

CVEs Like This One

CVE-2026-21268Same product: Adobe Dreamweaver
CVE-2026-21272Same product: Adobe Dreamweaver
CVE-2026-21274Same product: Adobe Dreamweaver
CVE-2026-21267Same product: Adobe Dreamweaver
CVE-2026-21327Same product: Apple Macos
CVE-2025-21159Same product: Apple Macos
CVE-2025-24452Same product: Apple Macos
CVE-2025-21157Same product: Apple Macos
CVE-2026-21330Same product: Apple Macos
CVE-2025-21156Same product: Apple Macos

References