Local Code Execution Flaws Disclosed in PDF Explorer and RGui
Two newly cataloged CVEs detail local code execution vulnerabilities in Windows desktop applications PDF Explorer 1.5.66.2 and RGui 3.5.0. CVE-2018-25217 affects PDF Explorer through a structured exception handler (SEH) overflow in the application's Custom fields settings dialog, where malicious data placed in the Label field can overwrite SEH records and enable arbitrary code execution. The issue is mapped to CWE-787 and was published with CVSS v4.0 and v3.1 scoring, alongside references to Exploit-DB, RTT Software, a trial installer, and a VulnCheck advisory.
CVE-2018-25258 affects RGui 3.5.0 through a stack-based buffer overflow in the GUI preferences dialog, specifically the Language for menus and messages field. The disclosure says an attacker can use SEH-based exploitation to bypass DEP, run a ROP chain that calls VirtualAlloc, and achieve arbitrary code execution on the local system. The entry was published with CVSS v4.0 and v3.1 vectors and references to the affected R 3.5.0 Windows binary, Exploit-DB, the R Project website, and a VulnCheck advisory.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2018-25258 disclosed for RGui 3.5.0 buffer overflow
A CVE entry for RGui 3.5.0 documented a local buffer overflow in the GUI preferences dialog, triggered through the "Language for menus and messages" field. The disclosure said attackers could bypass DEP with SEH exploitation, use a ROP chain invoking VirtualAlloc, and achieve arbitrary code execution.
CVE-2018-25217 disclosed for PDF Explorer SEH overflow
A CVE entry for PDF Explorer 1.5.66.2 documented a local code execution vulnerability caused by a structured exception handler overflow in the Custom fields settings dialog's Label field. The disclosure described arbitrary code execution via SEH overwrite, buffer overflow techniques, and ROP gadget chains.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Discloses Windows RCE Flaws in Scripting Languages and URL Parsing
Microsoft published Security Update Guide entries for two Windows remote code execution vulnerabilities affecting different core components: **CVE-2022-41118** in **Windows Scripting Languages** and **CVE-2025-59295** in **Windows URL Parsing**. Both advisories classify the issues as remote code execution flaws, indicating that successful exploitation could allow an attacker to run arbitrary code on a targeted Windows system. The disclosures point to risk across widely used Windows functionality rather than a single application, underscoring the need for defenders to review affected product versions and apply Microsoft-issued updates through normal patch management channels. The vulnerabilities are tracked under the identifiers `CVE-2022-41118` and `CVE-2025-59295`, with Microsoft maintaining the authoritative remediation details in its Security Update Guide.
May 25, 2026
File Write Flaws in Docudepot PDF Reader and Stackfield Desktop App
Two newly disclosed vulnerabilities expose users of **Docudepot PDF Reader** and the **Stackfield Desktop App** to arbitrary file write attacks that could lead to severe system compromise. **CVE-2026-30292** affects Docudepot PDF Reader: PDF Viewer APP version `1.0.34`, where a weakness in the file import process allows arbitrary file overwrite of critical internal files. The issue is classified as **CWE-73** and carries a `CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` score, with reported impact including possible arbitrary code execution and information exposure. **CVE-2026-28373** affects the Stackfield Desktop App before version `1.10.2` on **macOS** and **Windows**. The flaw stems from path traversal in decryption functionality that mishandles the `filePath` property, allowing a malicious export to write arbitrary content to any location on a victim’s filesystem. The vulnerability is tracked as **CWE-22** and was assigned `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H`, reflecting high risk to confidentiality, integrity, and availability when a crafted file is opened.
Apr 3, 2026
Microsoft February 2026 vulnerability disclosures across Windows, Azure, and developer tools
Microsoft published multiple security advisories for **Windows**, **Azure**, and **developer tooling**, including several high-impact issues spanning **remote code execution (RCE)**, **elevation of privilege (EoP)**, **spoofing**, **information disclosure**, **denial of service**, and **security feature bypass**. Notable items include **Azure SDK for Python RCE** `CVE-2026-21531` (CVSS 9.8; **deserialization of untrusted data**), **Windows Shell security feature bypass** `CVE-2026-21510` (CVSS 8.8; exploitability listed as **E:F**), **GitHub Copilot/Visual Studio/VS Code** issues enabling **RCE/EoP/feature bypass** (`CVE-2026-21256`, `CVE-2026-21523`, `CVE-2026-21257`, `CVE-2026-21518`), and **Azure Local RCE** `CVE-2026-21228` (CVSS 8.1; **improper certificate validation**). Additional Windows platform flaws include **Desktop Window Manager EoP** `CVE-2026-21519` (type confusion), **HTTP.sys EoP** `CVE-2026-21232` (untrusted pointer dereference), **WinSock Ancillary Function Driver EoP** `CVE-2026-21238` (improper access control), **Windows Storage EoP** `CVE-2026-21508`, **WSL EoP** `CVE-2026-21237`, **Microsoft Word security feature bypass** `CVE-2026-21514`, **Outlook spoofing** `CVE-2026-21511`, **Windows LDAP DoS** `CVE-2026-21243`, plus **ACI Confidential Containers information disclosure** `CVE-2026-23655` and **Azure IoT Explorer information disclosure** `CVE-2026-21528`. Separately, a detailed third-party writeup described a **Windows Error Reporting Service** local privilege escalation, `CVE-2026-20817`, patched in January 2026, where the **WER service** (`wersvc.dll`) running as `NT AUTHORITY\SYSTEM` allegedly fails to validate requester permissions over **ALPC**, enabling a standard user to trigger process creation with a SYSTEM-derived token (retaining powerful rights such as *SeDebugPrivilege*, *SeImpersonatePrivilege*, and *SeBackupPrivilege*). Another third-party report highlighted a long-standing **libpng** heap buffer issue, `CVE-2026-25646` (CVSS 8.3), in `png_set_quantize()` that can be triggered by a crafted PNG (palette present, histogram absent) leading to an infinite loop/out-of-bounds read with potential for DoS and, with heap grooming, possible code execution; an additional MSRC entry referenced **libjpeg-turbo** `CVE-2023-2804` (heap-based overflow) as an Important RCE-class issue. Collectively, the disclosures reinforce the need to prioritize patching for internet-reachable components and developer tooling, and to treat local EoP bugs as high-risk in post-compromise and lateral movement scenarios.
Feb 11, 2026