CVE-2026-25961

Published: Feb 9, 2026Modified: Feb 20, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution.

Affected (1)

Products: Sumatrapdfreader: Sumatrapdf

Sumatrapdfreader

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sumatrapdfreader Sumatrapdf	From 3.5 to 3.5.2

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

References (1)

https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.