CVE-2026-25880 — Untrusted Search Path in Sumatrapdf

CWE-426 — Untrusted Search Path7 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 95.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sumatrapdfreader Sumatrapdf

Timeline

PublishedFeb 9

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s system with the privileges of the current user, without any warning or user interaction beyond the menu click.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sumatrapdfreader/sumatrapdf3.5.2

▶NVDsumatrapdfreader/sumatrapdf3.5.2

🔴Vulnerability Details

CVEList

Untrusted Search Path in SumatraPDF Reader (explorer.exe on Windows)↗2026-02-09

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23951 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-23512 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25961 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25920 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25880 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶