CVE-2026-23512

High CVSS: 8.6

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution.

Vendor

Sumatrapdfreader

Product

Sumatrapdf

CWE

CWE-426

Yayın Tarihi

2026-01-14 21:15:54

Güncelleme

2026-02-03 17:56:29

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-426 Sumatrapdf HIGH Sumatrapdfreader 2026

Referanslar

https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673 https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv

Benzer Kayıtlar

Medium

CVE-2026-25920

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in…

High

CVE-2026-25961

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS host…

High

CVE-2026-25880

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious bi…

Medium

CVE-2026-23951

SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that on…

High

CVE-2025-57248

A null pointer dereference vulnerability was discovered in SumatraPDF 3.5.2 during the processing of a crafted .djvu fil…