How is CVE-2026-47906 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-exposed service is required to trigger this vulnerability. Authentication (not-required): No account or credentials are required; any unauthenticated party who can deliver a malicious file to the victim can attempt exploitation. Victim interaction (required): The victim must open a malicious file, making social engineering or a malicious file delivery the necessary attack vector. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

What is the impact of CVE-2026-47906?

Executes arbitrary code as the current user, giving the attacker full control over that user session and any resources accessible to it. Reads any files, credentials, tokens, or secrets accessible to the current user account on the host. Modifies or deletes files and data owned by the current user, including project files, configurations, and local application state. Crashes or destabilizes the Dreamweaver Desktop process and any dependent workflows running under the affected user context.

Back to search

HIGHCVE-2026-47906Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47906: Dreamweaver Desktop | Dependency on Vulnerable Third-Party Component (CWE-1395)

Dreamweaver Desktop versions 21.7 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a vulnerable third-party dependency issue in Adobe Dreamweaver Desktop versions 21.7 and earlier. The vulnerability requires local access and user interaction, specifically a victim must open a malicious file, but no authentication is needed to exploit it. Successful exploitation gives an attacker full arbitrary code execution in the context of the current user, covering confidentiality, integrity, and availability. No fix versions have been published yet; HarborGuard tracks the advisory and will flag a patched-image rebuild the moment Adobe releases one.

HarborGuard Coverage

Detection

Detection of CVE-2026-47906 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Dreamweaver Desktop or its affected dependency components.

Available

Triage

Triage is available using the CVSS v3.1 score of 8.6 (HIGH), with per-environment compliance policy weighting applied to prioritize the finding appropriately for each customer organization. Routed alerts reach the right team inbox based on each org's configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, the CVE remains flagged as unresolved for any image found to carry an affected Dreamweaver Desktop version.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-exposed service is required to trigger this vulnerability.
AuthenticationNot required
No account or credentials are required; any unauthenticated party who can deliver a malicious file to the victim can attempt exploitation.
Victim interactionRequired
The victim must open a malicious file, making social engineering or a malicious file delivery the necessary attack vector.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.

Blast Radius

Executes arbitrary code as the current user, giving the attacker full control over that user session and any resources accessible to it.
Reads any files, credentials, tokens, or secrets accessible to the current user account on the host.
Modifies or deletes files and data owned by the current user, including project files, configurations, and local application state.
Crashes or destabilizes the Dreamweaver Desktop process and any dependent workflows running under the affected user context.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-47906 is active for all connected image registries and pipelines as of ingestion. Because Adobe has not yet published a fix version, no patched-image rebuild is currently available. HarborGuard re-evaluates the advisory on every ingest cycle and will generate a patched rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads as soon as an upstream fix is published. In the meantime, recommended compensating controls include network-policy isolation to limit file-delivery vectors to affected hosts, egress filtering to reduce attacker-controlled content delivery paths, and disabling or gating Dreamweaver Desktop use in environments where untrusted files may be opened. The CVE will remain flagged as unresolved in your HarborGuard dashboard until a fix is confirmed and the rebuild is validated.

See how HarborGuard automates this

Affected packages

Adobe / Dreamweaver Desktop
≤ 21.7

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified