ID:12749 - Exploit for Improper Neutralization of Argument Delimiters in a Command in atril - CVE-2026-46529

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Exploits ID:12749 - Exploit for Improper Neutralization of Argument Delimiters in a Command in atril - CVE-2026-46529

ID:12749 - Exploit for Improper Neutralization of Argument Delimiters in a Command in atril - CVE-2026-46529

Published: May 22, 2026


Vulnerability identifier: #VU132128
Vulnerability risk: High
CVE-ID: CVE-2026-46529
CWE-ID: CWE-88
Exploitation vector: Remote access
Vulnerable software:
atril

Link to public exploit:


Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of argument delimiters in a command in ev_spawn() in shell/ev-application.c when processing a crafted /GoToR action in a PDF document. A remote attacker can trick the victim into clicking a crafted link in a malicious PDF to execute arbitrary code.

User interaction is required to click a link inside the PDF document, and the issue can be delivered as a single polyglot file that is both a valid PDF and a valid ELF shared library.


Remediation

Install security update from vendor's website.