Skip to main content

SlimPDFReader CVE-2026-13522

| EUVDEUVD-2026-40019 LOW
Out-of-bounds Read (CWE-125)
2026-06-29 VulDB GHSA-3pg9-gwgr-fmmw
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

PDF delivery is network-reachable but requires user to open the file (UI:R); impact is limited to an application crash with no confidentiality or integrity effect (C:N/I:N/A:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 29, 2026 - 02:22 NVD
MEDIUM LOW
CVSS changed
Jun 29, 2026 - 02:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 29, 2026 - 01:43 vuln.today

DescriptionCVE.org

A security flaw has been discovered in Investintech SlimPDFReader up to 2.0.14. Affected by this issue is the function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 of the file SlimPDFReader.exe of the component PDF File Handler. Performing a manipulation results in out-of-bounds read. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.

AnalysisAI

Out-of-bounds read in Investintech SlimPDFReader through version 2.0.14 exposes users to application crashes when processing maliciously crafted PDF files, exploitable remotely with passive user interaction. The vulnerable function SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0 within SlimPDFReader.exe fails to validate buffer boundaries during PDF parsing, resulting in a low-severity availability impact (application crash/DoS) with no confirmed confidentiality or integrity effect despite the 'Information Disclosure' tag in source metadata. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted PDF via email or web
Exploit
Victim opens PDF in SlimPDFReader
Execution
OOB read triggered in TeighaDo parser function
Impact
Application crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively open a maliciously crafted PDF file using SlimPDFReader version 2.0.14 or earlier on a Windows system - user interaction (UI:P in CVSS 4.0) is a hard prerequisite and cannot be bypassed remotely without additional social engineering. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) reflects a realistic threat profile: network-reachable (AV:N), low complexity (AC:L), no authentication (PR:N), but requiring passive user interaction (UI:P) and producing only low availability impact (VA:L) with no confidentiality or integrity consequences (VC:N/VI:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker embeds malformed PDF object structures with manipulated length or offset values into a crafted PDF file and delivers it to a target via phishing email or a malicious download link. When the victim opens the file in SlimPDFReader 2.0.14 or earlier, the `TeighaDo` PDF parsing function reads beyond its allocated buffer, triggering an access violation that crashes the application. …
Remediation No vendor-released patch identified at time of analysis - the product is confirmed end-of-life and Investintech will not issue a fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy