cbcvebase.
CVE-2026-23512
published 2026-01-14

CVE-2026-23512: SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger…

PriorityP340high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.19%
8.9th percentile
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
sumatrapdfreadersumatrapdf<= 3.5.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.