CVE-2026-25880

HIGH

SumatraPDF <3.5.2 - RCE

Title source: llm

Description

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary (explorer.exe) located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s system with the privileges of the current user, without any warning or user interaction beyond the menu click.

References (1)

[Vendor Advisory] https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5x4h-247q-px37

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-426

Status published

Affected Products (1)

sumatrapdfreader/sumatrapdf < 3.5.2

Timeline

Published Feb 09, 2026

Tracked Since Feb 18, 2026