{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23512", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.979Z", "datePublished": "2026-01-14T20:31:08.724Z", "dateUpdated": "2026-01-14T21:04:47.478Z"}, "containers": {"cna": {"title": "SumatraPDF has an Untrusted Search Path in sumatrapdf/src/AppTools.cpp", "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "lang": "en", "description": "CWE-426: Untrusted Search Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv"}, {"name": "https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673", "tags": ["x_refsource_MISC"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673"}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"version": "<= 3.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T20:31:08.724Z"}, "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution."}], "source": {"advisory": "GHSA-rqg5-gj63-x4mv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T21:04:20.774464Z", "id": "CVE-2026-23512", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:04:47.478Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23512", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-14T21:04:20.774464Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:04:38.719Z"}}], "cna": {"title": "SumatraPDF has an Untrusted Search Path in sumatrapdf/src/AppTools.cpp", "source": {"advisory": "GHSA-rqg5-gj63-x4mv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"status": "affected", "version": "<= 3.5.2"}]}], "references": [{"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv", "name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673", "name": "https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T20:31:08.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23512", "state": "PUBLISHED", "dateUpdated": "2026-01-14T21:04:47.478Z", "dateReserved": "2026-01-13T18:22:43.979Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-14T20:31:08.724Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D48C2C6-E8BC-471E-B59A-236F038EBC0C", "versionEndIncluding": "3.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, there is a Untrusted Search Path vulnerability when Advanced Options setting is trigger. The application executes notepad.exe without specifying an absolute path when using the Advanced Options setting. On Windows, this allows execution of a malicious notepad.exe placed in the application's installation directory, leading to arbitrary code execution."}], "id": "CVE-2026-23512", "lastModified": "2026-02-03T17:56:29.520", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-14T21:15:54.013", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/2762e02a8cd7cb779c934a44257aac56ab7de673"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-rqg5-gj63-x4mv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:14:08.362190+00:00", "value": {"mitigation_remediation": ["Upgrade SumatraPDF to a version newer than 3.5.2", "Disable or reconfigure the Advanced Options feature so that absolute paths are used instead of the default search path", "Remove any unexpected notepad.exe or other executables from the SumatraPDF installation directory and secure the folder against execution"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects SumatraPDF releases 3.5.2 and earlier on Windows operating systems. The product name is SumatraPDF by sumatrapdfreader, and the affected product is the sumatrapdf application. All installations of these older versions are susceptible when the Advanced Options setting is in use.", "description_and_impact": "SumatraPDF, a Windows PDF reader, has an Untrusted Search Path flaw in its Advanced Options feature that causes the application to execute notepad.exe without a full path. If an attacker places a malicious notepad.exe in the installed folder, the program will run it, allowing the attacker to execute arbitrary code with the privileges of the user running SumatraPDF. The vulnerability originates from CWE-426 and results in unrestricted code execution for any user who launches the application with the Advanced Options enabled.", "risk_and_exploitability": "The vulnerability scores 8.6 on the CVSS scale, indicating high severity, and has an EPSS score of less than 1\u202f%, suggesting a low but existing likelihood of exploitation. It is not listed in the CISA KEV catalog. The typical attack vector requires a user to open SumatraPDF with Advanced Options enabled after an attacker has placed a crafted notepad.exe in the program directory. Because the bug relies on a local search path, it does not require network exposure but still poses a critical risk to any user who runs the software on a compromised system."}}}}, "created": "2026-01-15T08:03:25.908289+00:00", "updated": "2026-04-18T06:15:15.876440+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$windows", "sumatrapdfreader", "sumatrapdfreader$PRODUCT$sumatrapdf"]}