CVE-2025-51966: 
Homebrew vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability (CVE-2025-51966) was discovered in the PDF preview functionality of uTools through version 7.1.1. The vulnerability was discovered on May 27, 2025, and affects the Windows versions of uTools. When a user previews a specially crafted PDF file, embedded JavaScript code executes within the application's privileged context (T1sts Blog, NVD).

The vulnerability stems from insufficient validation of font type processing in the PDF preview functionality. The PDF.js library used by uTools fails to properly sanitize the FontMatrix fields and other executable content within PDF files, allowing embedded JavaScript code to execute in the application's context. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (AttackerKB, T1sts Analysis).

The vulnerability can allow attackers to steal sensitive data stored in uTools (including notes, passwords, and scripts) or perform unauthorized actions. Given uTools' high integration level and system privileges, the vulnerability could potentially serve as a stepping stone for further attacks (T1sts Analysis).

As a temporary mitigation measure, users are advised to disable the file preview functionality in uTools settings until a patch is available (T1sts Analysis).