CVE-2026-2040 HIGH

CVE-2026-2040: PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Vendor Pdf-Xchange
Product PDF-XChange Editor
Weakness CWE-427
Published February 20, 2026
Last update February 24, 2026

CVSS base score

7.3/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the TrackerUpdate process. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of a target user. Was ZDI-CAN-27788.

Key dates

02Disclosure timeline

February 20, 2026 CVE published
February 24, 2026 Record updated