Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv — splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch.

The version of evince installed on the remote host is prior to 3.28.2-10. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3354 advisory.

    CVE-2026-46529 is a command injection vulnerability in Evince, Atril, and Xreader caused by missing     quoting of shell-like input in ev_spawn() in ev-application.c. (CVE-2026-46529)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:27819 advisory.

    The evince packages provide a simple multi-page document viewer for Portable Document Format (PDF),     PostScript (PS), Encapsulated PostScript (EPS) files, and, with additional back-ends, also the Device     Independent File format (DVI) files.

    Security Fix(es):

    * atril: evince: xreader: PDF /GoToR action argv injection enables single-click RCE via --gtk-module     dlopen (CVE-2026-46529)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6349 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6349-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     June 17, 2026                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : atril     CVE ID         : CVE-2026-46529     Debian Bug     : 1139874

    It was discovered that atril, the MATE document viewer, is prone to a     command injection vulnerability if a specially crafted PDF file is     opened.

    For the stable distribution (trixie), this problem has been fixed in     version 1.26.2-4+deb13u1.

    We recommend that you upgrade your atril packages.

    For the detailed security status of atril please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/atril

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by a vulnerability as referenced in the dla-4632 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4632-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Andreas Henriksson     June 16, 2026                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : atril     Version        : 1.26.0-2+deb12u4     CVE ID         : CVE-2026-46529     Debian Bug     : 1139874

    It was discovered that atril, a simple multi-page document viewer, is     prone to a command injection vulnerability if a specially crafted PDF     file is opened.

    For Debian 12 bookworm, this problem has been fixed in version     1.26.0-2+deb12u4.

    For Debian 11 bullseye, see DLA 4597-1.

    We recommend that you upgrade your atril packages.

    For the detailed security status of atril please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/atril

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of atril installed on the remote host is prior to 1.20.2-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2MATE-DESKTOP1.X-2026-011 advisory.

    CVE-2026-46529 is a command injection vulnerability in Evince, Atril, and Xreader caused by missing     quoting of shell-like input in ev_spawn() in ev-application.c. (CVE-2026-46529)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1782 advisory.

    CVE-2026-46529 is a command injection vulnerability in Evince, Atril, and Xreader caused by missing     quoting of shell-like input in ev_spawn() in ev-application.c. (CVE-2026-46529)

    An unsoundness issue (RUSTSEC-2026-0097) was also found in the bundled Rust rand crate. ThreadRng methods     use unsafe code that can create aliased mutable references when a custom logger accesses rand::rng() or     rand::thread_rng() during reseeding, resulting in undefined behavior.

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20850-1 advisory.

    Changes in evince:

    - Update to version 48.2 (bsc#1265880 CVE-2026-46529):
      - shell: Quote strings in arguments used when calling ev_spawn

    - Update to version 48.1+6:
      - build: bump DjVuLibre version required
      - libview: Fix crash in the accessible code when page cache text is NULL
      - po: Fix xml element in Hindi translation
      - Updated translations.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8321-1 advisory.

    It was discovered that Papers incorrectly handled PDF /GoToR actions. If a user were tricked into opening     a specially crafted PDF file, an attacker could use this issue to manipulate command lines and possibly     execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8295-1 advisory.

    It was discovered that Evince did not properly sanitize command-line arguments in PDF /GoToR actions. If a     user opened a specially crafted PDF file, an attacker could possibly use this issue to execute arbitrary     code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-49dc95b509 advisory.

    Fix command injection CVE-2026-46529


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4597 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4597-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Andreas Henriksson     May 22, 2026                                  https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : atril     Version        : 1.24.0-1+deb11u2     CVE ID         : CVE-2026-46529

    It was discovered that atril, a simple multi-page document viewer, is     prone to a command injection vulnerability if a specially crafted PDF     file is opened.

    For Debian 11 bullseye, this problem has been fixed in version     1.24.0-1+deb11u2.

    We recommend that you upgrade your atril packages.

    For the detailed security status of atril please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/atril

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4596 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4596-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Andreas Henriksson     May 22, 2026                                  https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : evince     Version        : 3.38.2-1+deb11u1     CVE ID         : CVE-2026-46529

    It was discovered that evince, a simple multi-page document viewer, is     prone to a command injection vulnerability if a specially crafted PDF     file is opened.

    For Debian 11 bullseye, this problem has been fixed in version     3.38.2-1+deb11u1.

    We recommend that you upgrade your evince packages.

    For the detailed security status of evince please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/evince

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has packages installed that are affected by a vulnerability as referenced in the dsa-6286 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6286-1                   security@debian.org     https://www.debian.org/security/                     Salvatore Bonaccorso     May 21, 2026                          https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : evince     CVE ID         : CVE-2026-46529

    It was discovered that evince, a simple multi-page document viewer, is     prone to a command injection vulnerability if a specially crafted PDF     file is opened.

    For the oldstable distribution (bookworm), this problem has been fixed     in version 43.1-2+deb12u1.

    For the stable distribution (trixie), this problem has been fixed in     version 48.1-3+deb13u1.

    We recommend that you upgrade your evince packages.

    For the detailed security status of evince please refer to its security     tracker page at:
    https://security-tracker.debian.org/tracker/evince

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-aea94fcc1c advisory.

    Fix command injection CVE-2026-46529

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-d29bd1ad07 advisory.

    Fix command injection CVE-2026-46529

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-     click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to     achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF     document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF     shared library, making the attack a single-file, single-click, configuration-independent RCE on stock     atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from     attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then     handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv  splitting any     embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init,     running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the     issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-     document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original     patch did not touch. (CVE-2026-46529)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
322047	Amazon Linux 2 : evince, --advisory ALAS2-2026-3354 (ALAS-2026-3354)	Nessus	Amazon Linux Local Security Checks	high
321962	RHEL 9 : evince (RHSA-2026:27819)	Nessus	Red Hat Local Security Checks	high
321495	Debian dsa-6349 : atril - security update	Nessus	Debian Local Security Checks	high
321272	Debian dla-4632 : atril - security update	Nessus	Debian Local Security Checks	high
319790	Amazon Linux 2 : atril, --advisory ALAS2MATE-DESKTOP1.X-2026-011 (ALASMATE-DESKTOP1.X-2026-011)	Nessus	Amazon Linux Local Security Checks	high
319788	Amazon Linux 2023 : papers, papers-devel, papers-libs (ALAS2023-2026-1782)	Nessus	Amazon Linux Local Security Checks	high
318174	openSUSE 16 Security Update : evince (openSUSE-SU-2026:20850-1)	Nessus	SuSE Local Security Checks	high
317469	Ubuntu 25.10 / 26.04 LTS : Papers vulnerability (USN-8321-1)	Nessus	Ubuntu Local Security Checks	high
316638	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Evince vulnerability (USN-8295-1)	Nessus	Ubuntu Local Security Checks	high
316627	Fedora 42 : evince (2026-49dc95b509)	Nessus	Fedora Local Security Checks	high
316546	Debian dla-4597 : atril - security update	Nessus	Debian Local Security Checks	high
316544	Debian dla-4596 : evince - security update	Nessus	Debian Local Security Checks	high
316044	Debian dsa-6286 : evince - security update	Nessus	Debian Local Security Checks	high
315984	Fedora 44 : evince (2026-aea94fcc1c)	Nessus	Fedora Local Security Checks	high
315968	Fedora 43 : evince (2026-d29bd1ad07)	Nessus	Fedora Local Security Checks	high
315531	Linux Distros Unpatched Vulnerability : CVE-2026-46529	Nessus	Misc.	high

Detections

Analytics

CVE-2026-46529

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high