CVE-2026-25961

SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*

History

20 Feb 2026, 20:22

Type	Values Removed	Values Added
CPE		cpe:2.3:a:sumatrapdfreader:sumatrapdf::::::::
Summary		(es) SumatraPDF es un lector multiformato para Windows. En las versiones 3.5.0 a 3.5.2, el mecanismo de actualización de SumatraPDF deshabilita la verificación del nombre de host TLS (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) y ejecuta instaladores sin comprobaciones de firma. Un atacante de red con cualquier certificado TLS válido (por ejemplo, Let's Encrypt) puede interceptar la solicitud de comprobación de actualización, inyectar una URL de instalador malicioso y lograr la ejecución de código arbitrario.
References	~~() https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q -~~	() https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q - Exploit, Vendor Advisory
First Time		Sumatrapdfreader Sumatrapdfreader sumatrapdf

09 Feb 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 22:16

Updated : 2026-02-20 20:22

NVD link : CVE-2026-25961

Mitre link : CVE-2026-25961

CVE.ORG link : CVE-2026-25961

JSON object : View

Products Affected

sumatrapdfreader

sumatrapdf

CWE

CWE-295

Improper Certificate Validation

CWE-494

Download of Code Without Integrity Check

{"id": "CVE-2026-25961", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2026-02-09T22:16:04.750", "references": [{"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-494"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-494"}]}], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution."}, {"lang": "es", "value": "SumatraPDF es un lector multiformato para Windows. En las versiones 3.5.0 a 3.5.2, el mecanismo de actualizaci\u00f3n de SumatraPDF deshabilita la verificaci\u00f3n del nombre de host TLS (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) y ejecuta instaladores sin comprobaciones de firma. Un atacante de red con cualquier certificado TLS v\u00e1lido (por ejemplo, Let's Encrypt) puede interceptar la solicitud de comprobaci\u00f3n de actualizaci\u00f3n, inyectar una URL de instalador malicioso y lograr la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "lastModified": "2026-02-20T20:22:32.817", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35B34851-E186-4558-A6E4-CCE41DFEC9E1", "versionEndIncluding": "3.5.2", "versionStartIncluding": "3.5"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}