How is CVE-2026-47908 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability. Authentication (not-required): No account or credentials are needed; the vulnerability is reachable by any unprivileged process or user on the host who can deliver a file to the victim. Victim interaction (required): The victim must open a malicious file, making this a social-engineering vector that requires convincing the target to load attacker-supplied content in Dreamweaver Desktop. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race condition, specific memory layout, or other environmental precondition beyond the victim opening the file.

What is the impact of CVE-2026-47908?

Executes arbitrary code in the security context of the current user, giving the attacker full control over any process that user can launch. Reads files, credentials, and session tokens accessible to the logged-in user account. Writes or modifies files owned by that user, including project source code, configuration files, and local application data. Crashes or disrupts Dreamweaver Desktop and any co-dependent user-space processes.

Back to search

HIGHCVE-2026-47908Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47908: Dreamweaver Desktop | Access of Uninitialized Pointer (CWE-824)

Dreamweaver Desktop versions 21.7 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An access-of-uninitialized-pointer vulnerability affects Adobe Dreamweaver Desktop versions 21.7 and earlier. The flaw is triggered locally when a user opens a specially crafted file, requiring no network exposure but needing the victim to interact with malicious content. Successful exploitation gives an attacker full arbitrary code execution in the context of the logged-in user, enabling read, write, and disruption of anything that user can access. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as Adobe ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Dreamweaver Desktop components.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and is capable of weighting that score against each customer organization's per-environment compliance policy, routing findings to the appropriate team inbox based on configured ownership rules.

Available

Patch

Because no fix version has been published by Adobe, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, compensating-control guidance (such as network-policy isolation and file-type ingestion restrictions) is surfaced alongside the finding for customers reviewing their exposure.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability.
AuthenticationNot required
No account or credentials are needed; the vulnerability is reachable by any unprivileged process or user on the host who can deliver a file to the victim.
Victim interactionRequired
The victim must open a malicious file, making this a social-engineering vector that requires convincing the target to load attacker-supplied content in Dreamweaver Desktop.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race condition, specific memory layout, or other environmental precondition beyond the victim opening the file.

Blast Radius

Executes arbitrary code in the security context of the current user, giving the attacker full control over any process that user can launch.
Reads files, credentials, and session tokens accessible to the logged-in user account.
Writes or modifies files owned by that user, including project source code, configuration files, and local application data.
Crashes or disrupts Dreamweaver Desktop and any co-dependent user-space processes.

How HarborGuard Handles This

Available on HarborGuard: because Adobe has not yet published a fix for CVE-2026-47908, HarborGuard monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While no patch is available, HarborGuard surfaces compensating-control suggestions alongside the finding, including restricting file-type associations for Dreamweaver Desktop in managed environments, applying application-layer controls to limit untrusted file delivery to the host, and flagging any image that bundles an affected version for prioritized manual review under applicable compliance policies.

See how HarborGuard automates this

Affected packages

Adobe / Dreamweaver Desktop
≤ 21.7

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified