CVE-2026-25880

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s system with the privileges of the current user, without any warning or user interaction beyond the menu click.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5x4h-247q-px37	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 22:16

Updated : 2026-02-23 18:14

NVD link : CVE-2026-25880

Mitre link : CVE-2026-25880

CVE.ORG link : CVE-2026-25880

JSON object : View

Products Affected

sumatrapdfreader

sumatrapdf

CWE

CWE-426

Untrusted Search Path

{"id": "CVE-2026-25880", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-02-09T22:16:03.267", "references": [{"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5x4h-247q-px37", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-426"}]}], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File \u2192 \u201cShow in folder\u201d. This behavior leads to arbitrary code execution on the victim\u2019s system with the privileges of the current user, without any warning or user interaction beyond the menu click."}, {"lang": "es", "value": "SumatraPDF es un lector multiformato para Windows. En la versi\u00f3n 3.5.2 y anteriores, el lector de PDF permite la ejecuci\u00f3n de un binario malicioso (explorer.exe) ubicado en el mismo directorio que el PDF abierto cuando el usuario hace clic en Archivo ? 'Mostrar en carpeta'. Este comportamiento conduce a la ejecuci\u00f3n de c\u00f3digo arbitrario en el sistema de la v\u00edctima con los privilegios del usuario actual, sin ninguna advertencia ni interacci\u00f3n del usuario m\u00e1s all\u00e1 del clic en el men\u00fa."}], "lastModified": "2026-02-23T18:14:13.717", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D48C2C6-E8BC-471E-B59A-236F038EBC0C", "versionEndIncluding": "3.5.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}