CVE-2026-25880

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25880
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25880.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25880
Aliases
  • GHSA-5x4h-247q-px37
Published
2026-02-09T21:10:59.964Z
Modified
2026-03-10T14:47:32.934632Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Untrusted Search Path in SumatraPDF Reader (explorer.exe on Windows)
Details

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s system with the privileges of the current user, without any warning or user interaction beyond the menu click.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-426"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25880.json"
}
References

Affected packages

Git / github.com/sumatrapdfreader/sumatrapdf

Affected ranges

Type
GIT
Repo
https://github.com/sumatrapdfreader/sumatrapdf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
646d1feddcc80b3b51072c5b27a1446487904175
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.5.2"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25880.json"