{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2040", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-02-06T01:13:48.593Z", "datePublished": "2026-02-20T22:21:17.790Z", "dateUpdated": "2026-02-24T15:07:07.127Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-02-20T22:21:17.790Z"}, "title": "PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "descriptions": [{"lang": "en", "value": "PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the TrackerUpdate process. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of a target user. Was ZDI-CAN-27788."}], "affected": [{"vendor": "PDF-XChange", "product": "PDF-XChange Editor", "versions": [{"version": "10.7.2.400", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-122/", "name": "ZDI-26-122", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-02-06T01:13:48.624Z", "datePublic": "2026-02-19T14:24:40.432Z", "source": {"lang": "en", "value": "Kolja Grassmann (Neodyme AG)"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T15:06:54.167938Z", "id": "CVE-2026-2040", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:07:07.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2040", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T15:06:54.167938Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:07:02.800Z"}}], "cna": {"title": "PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "source": {"lang": "en", "value": "Kolja Grassmann (Neodyme AG)"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "PDF-XChange", "product": "PDF-XChange Editor", "versions": [{"status": "affected", "version": "10.7.2.400"}], "defaultStatus": "unknown"}], "datePublic": "2026-02-19T14:24:40.432Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-122/", "name": "ZDI-26-122", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-02-06T01:13:48.624Z", "descriptions": [{"lang": "en", "value": "PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the TrackerUpdate process. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of a target user. Was ZDI-CAN-27788."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-02-20T22:21:17.790Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2040", "state": "PUBLISHED", "dateUpdated": "2026-02-24T15:07:07.127Z", "dateReserved": "2026-02-06T01:13:48.593Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-02-20T22:21:17.790Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the TrackerUpdate process. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of a target user. Was ZDI-CAN-27788."}, {"lang": "es", "value": "Vulnerabilidad de Escalada de Privilegios Local por Elemento de Ruta de B\u00fasqueda No Controlado en PDF-XChange Editor TrackerUpdate. Esta vulnerabilidad permite a atacantes locales escalar privilegios en instalaciones afectadas de PDF-XChange Editor. Un atacante debe primero lograr la capacidad de ejecutar c\u00f3digo con pocos privilegios en el sistema objetivo para explotar esta vulnerabilidad.\n\nLa falla se encuentra dentro del proceso TrackerUpdate. El producto carga una biblioteca desde una ubicaci\u00f3n no segura. Un atacante puede aprovechar esta vulnerabilidad para escalar privilegios y ejecutar c\u00f3digo en el contexto de un usuario objetivo. Fue ZDI-CAN-27788."}], "id": "CVE-2026-2040", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-02-20T23:16:04.050", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-122/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "10.7.2.400"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "PDF-XChange Editor", "source": "cna", "vendor": "PDF-XChange"}, "product": "pdf-xchange_editor", "vendor": "pdf-xchange"}], "analysis": {"en": {"generated_at": "2026-04-17T17:04:34.982377+00:00", "value": {"mitigation_remediation": ["Acquire and install the latest vendor patch for PDF\u2011XChange Editor that removes the TrackerUpdate library loading flaw.", "Restrict the ability for arbitrary binaries to run by enforcing application whitelisting or disabling execution from untrusted locations, thereby preventing the precursory low\u2011privilege code execution required by this vulnerability.", "If a patch is not yet available, consider disabling or removing the TrackerUpdate functionality and configuring the system\u2019s library search path to exclude untrusted directories, thereby mitigating the uncontrolled search path element."], "summary": {"action": "Apply Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "PDF\u2011XChange Editor is the affected product. No specific version information or additional vendor details are supplied in this report, so any installation of PDF\u2011XChange Editor that contains the default TrackerUpdate behavior is potentially vulnerable.", "description_and_impact": "An uncontrolled search path element in the TrackerUpdate process allows a local attacker who has already obtained a low\u2011privilege execution environment to load an attacker\u2011controlled library from an unsecured location. This flaw can raise the privilege level of the attacker\u2019s code to that of the target user, enabling the attacker to run arbitrary code with elevated rights. The weakness is consistent with CWE\u2011427, which describes problems related to the ability to influence or control the library search path used by an application.", "risk_and_exploitability": "The calculated CVSS score is 7.3, indicating a high severity vulnerability when the conditions are met. The EPSS score is below 1\u202f%, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not widely exploited in the wild. However, exploitation requires the attacker to have local code execution already, which is plausible if the attacker has compromised an application or executed a malicious script on the system. Therefore the primary risk is to users who have inadvertently run untrusted code or who have been infected by malware capable of low\u2011privilege execution."}}}}, "created": "2026-02-23T14:33:50.713285+00:00", "updated": "2026-04-17T17:15:23.713948+00:00", "vendors": ["pdf-xchange", "pdf-xchange$PRODUCT$pdf-xchange_editor"]}