CVE-2026-23512Untrusted Search Path in Sumatrapdf

CWE-426Untrusted Search Path7 documents3 sources
Severity
7.8HIGHNVD
CNA8.6
EPSS
0.0%
top 94.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Sumatrapdfreader Sumatrapdf
Timeline
PublishedJan 14

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

Patches

Patch: github.com

🔴Vulnerability Details

1
CVEList
SumatraPDF has an Untrusted Search Path in sumatrapdf/src/AppTools.cpp2026-01-14

🕵️Threat Intelligence

5
Wiz
CVE-2026-23951 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-23512 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25961 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25920 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25880 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23512 — Untrusted Search Path in Sumatrapdf | cvebase