CVE-2026-25961

Name of the Vulnerable Software and Affected Versions SumatraPDF versions 3.5.0 through 3.5.2

Description SumatraPDF’s update process has a flaw where TLS hostname verification is disabled (INTERNET FLAG IGNORE CERT CN INVALID) and installers are executed without signature verification. This allows a network attacker possessing a valid TLS certificate, such as one from Let's Encrypt, to intercept the update check, inject a malicious installer URL, and potentially execute arbitrary code.

Recommendations Update to a version beyond 3.5.2.