CVE-2026-25880

HIGH

SumatraPDF <3.5.2 - RCE

Title source: llm

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s system with the privileges of the current user, without any warning or user interaction beyond the menu click.

References (1)

[Vendor Advisory] https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5x4h-247q-px37

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 5.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-426

Status published

Products (1)

sumatrapdfreader/sumatrapdf < 3.5.2

Published Feb 09, 2026

Tracked Since Feb 18, 2026