CVE-2026-21272
Published: 13 January 2026
Summary
CVE-2026-21272 is a high-severity Improper Input Validation (CWE-20) vulnerability in Adobe Dreamweaver. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input validation (CWE-20) flaw by requiring validation mechanisms to prevent arbitrary file system writes from malicious files in Dreamweaver.
Ensures timely flaw remediation through patching Dreamweaver to version 22.0 or later as recommended in Adobe APSB26-01.
Provides vulnerability scanning to identify and remediate installations of vulnerable Dreamweaver versions affected by CVE-2026-21272.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local client-side exploitation of Dreamweaver via malicious file leads to arbitrary writes, directly enabling client execution abuse and stored data manipulation on the filesystem.
NVD Description
Dreamweaver Desktop versions 21.6 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could leverage this vulnerability to manipulate or inject malicious data into files on the system. Exploitation…
more
of this issue requires user interaction in that a victim must open a malicious file and scope is changed.
Deeper analysisAI
CVE-2026-21272 is an Improper Input Validation vulnerability (CWE-20) affecting Adobe Dreamweaver Desktop versions 21.6 and earlier. This flaw allows arbitrary file system writes, enabling an attacker to manipulate or inject malicious data into files on the victim's system. Published on January 13, 2026, it carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability when scope is changed.
The vulnerability can be exploited by an attacker who tricks a user into opening a malicious file locally, as it requires user interaction and operates in a local attack vector with no privileges needed. Successful exploitation grants the attacker the ability to perform arbitrary file writes, potentially leading to full system compromise through malicious data injection or file manipulation.
Adobe's security advisory (APSB26-01) at https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html details mitigation, recommending users update to Dreamweaver Desktop version 22.0 or later, where the vulnerability has been addressed. Practitioners should verify installations and advise clients to avoid opening untrusted files in affected versions.
Details
- CWE(s)