CVE-2026-46529

Public on 2026-05-21

Modified on 2026-05-21

Description

CVE-2026-46529 is a command injection vulnerability in Evince, Atril, and Xreader caused by missing quoting of shell-like input in ev_spawn() in ev-application.c.

Severity

Important

See what this means

CVSS v3 Base Score

7.8

See breakdown

Affected Packages

Platform	Package	Status
Amazon Linux 2 - Mate-desktop1.x Extra	atril	Pending Fix
Amazon Linux 2 - Core	evince	Pending Fix
Amazon Linux 2023	papers	Pending Fix

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.8	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2026-46529 Mitre: CVE-2026-46529