Arbitrary Code Execution Vulnerability in SumatraPDF by SumatraPDF Reader
CVE-2026-25961

7.5HIGH

Key Information:

Vendor: SumatraPDFreader
Status: SumatraPDF
Vendor: CVE Published:; 9 February 2026

🔔 Create SumatraPDFreader Vulnerability Alert

What is CVE-2026-25961?

SumatraPDF, a versatile multi-format reader for Windows, has a critical flaw in versions 3.5.0 to 3.5.2. The application's update mechanism disables TLS hostname verification and allows for the execution of unsigned installers. This vulnerability permits a network attacker possessing a valid TLS certificate to intercept update requests, thereby injecting a malicious installer URL and executing arbitrary code. Users of affected versions should prioritize applying patches or updates to secure their systems from potential exploitation.

Affected Version(s)

sumatrapdf >= 3.5.0, <= 3.5.2

References

https://github.com/sumatrapdfreader/sumatrapdf/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-25961 Data

JSON