CVE-2026-25961

CVSS v2.0

7.6

High

Vector

AV:N/AC:H/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SumatraPDF versions 3.5.0 through 3.5.2

Description SumatraPDF’s update process has a flaw where TLS hostname verification is disabled (INTERNET FLAG IGNORE CERT CN INVALID) and installers are executed without signature verification. This allows a network attacker possessing a valid TLS certificate, such as one from Let's Encrypt, to intercept the update check, inject a malicious installer URL, and potentially execute arbitrary code.

Recommendations Update to a version beyond 3.5.2.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-494CWE-295

Related Identifiers

BDU:2026-01951

CVE-2026-25961

GHSA-XPM2-RR5M-X96Q

Affected Products

Sumatrapdf

CVE-2026-25961

Weakness Enumeration

Related Identifiers

Affected Products

References · 7