{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25961", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.066Z", "datePublished": "2026-02-09T21:34:05.203Z", "dateUpdated": "2026-02-10T15:57:28.303Z"}, "containers": {"cna": {"title": "SumatraPDF Update MITM -> Arbitrary Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-494", "lang": "en", "description": "CWE-494: Download of Code Without Integrity Check", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q"}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"version": ">= 3.5.0, <= 3.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:34:05.203Z"}, "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution."}], "source": {"advisory": "GHSA-xpm2-rr5m-x96q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:32:01.525616Z", "id": "CVE-2026-25961", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:57:28.303Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25961", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.066Z", "datePublished": "2026-02-09T21:34:05.203Z", "dateUpdated": "2026-02-10T15:57:28.303Z"}, "containers": {"cna": {"title": "SumatraPDF Update MITM -> Arbitrary Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-494", "lang": "en", "description": "CWE-494: Download of Code Without Integrity Check", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q"}], "affected": [{"vendor": "sumatrapdfreader", "product": "sumatrapdf", "versions": [{"version": ">= 3.5.0, <= 3.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T21:34:05.203Z"}, "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution."}], "source": {"advisory": "GHSA-xpm2-rr5m-x96q", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-10T15:32:01.525616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:32:02.622Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sumatrapdfreader:sumatrapdf:*:*:*:*:*:*:*:*", "matchCriteriaId": "35B34851-E186-4558-A6E4-CCE41DFEC9E1", "versionEndIncluding": "3.5.2", "versionStartIncluding": "3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.g., Let's Encrypt) can intercept the update check request, inject a malicious installer URL, and achieve arbitrary code execution."}, {"lang": "es", "value": "SumatraPDF es un lector multiformato para Windows. En las versiones 3.5.0 a 3.5.2, el mecanismo de actualizaci\u00f3n de SumatraPDF deshabilita la verificaci\u00f3n del nombre de host TLS (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) y ejecuta instaladores sin comprobaciones de firma. Un atacante de red con cualquier certificado TLS v\u00e1lido (por ejemplo, Let's Encrypt) puede interceptar la solicitud de comprobaci\u00f3n de actualizaci\u00f3n, inyectar una URL de instalador malicioso y lograr la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2026-25961", "lastModified": "2026-02-20T20:22:32.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-09T22:16:04.750", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-494"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-494"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,3.5.2]"}}], "product": "sumatrapdf", "vendor": "sumatrapdfreader"}], "analysis": {"en": {"generated_at": "2026-04-17T21:06:54.822354+00:00", "value": {"mitigation_remediation": ["Install SumatraPDF version 3.5.3 or later, which restores hostname verification and enforces installer signature checks.", "Disable the automatic update feature or configure the update client to accept only signed installers and reject unsigned downloads.", "Block or filter update traffic at the network perimeter to prevent interception of the TLS session used for updating SumatraPDF."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is SumatraPDF Reader, versions 3.5.0 through 3.5.2, used on Windows platforms. No other vendors or products are listed.", "description_and_impact": "SumatraPDF\u2019s update system, between versions 3.5.0 and 3.5.2, turns off TLS hostname verification and installs software without verifying signatures. This creates a pathway for an attacker to serve a malicious installer during a routine update check, allowing them to run arbitrary code on the target machine. The vulnerability is a classic example of certificate validation failure combined with missing signature verification; the result is a full compromise of the victim system.", "risk_and_exploitability": "The CVSS score of 7.5 marks the flaw as high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not identified in the CISA KEV catalog, suggesting no documented public exploitation. The attack proceeds over the network: a malicious actor intercepts the HTTPS update request, substitutes a malicious installer URL, and gains code execution. This requires network presence and control of the TLS certificate chain, which can be obtained with a legitimate certificate such as Let\u2019s Encrypt. Although rare, the potential impact is complete loss of system integrity."}}}}, "created": "2026-02-10T11:34:59.664408+00:00", "updated": "2026-04-17T21:15:27.380338+00:00", "vendors": ["sumatrapdfreader", "sumatrapdfreader$PRODUCT$sumatrapdf"]}