CVE-2025-51966: 
Homebrew vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability (CVE-2025-51966) was discovered in the PDF preview functionality of uTools through version 7.1.1. The vulnerability was discovered on May 27, 2025, and affects the Windows versions of uTools. When a user previews a specially crafted PDF file, embedded JavaScript code executes within the application's privileged context (NVD, T1sts Blog).

The vulnerability stems from inadequate validation of font type processing in the PDF preview functionality. The PDF.js library used by uTools fails to properly sanitize FontMatrix fields and other executable content during PDF parsing. This allows attackers to embed malicious JavaScript code that executes when the PDF is previewed. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility with required user interaction (AttackerKB, T1sts Blog).

Due to uTools' high integration and extensive system permissions, successful exploitation could lead to theft of sensitive information stored in uTools (including notes, passwords, and scripts), unauthorized system operations, and potential use as a stepping stone for further attacks. The vulnerability primarily affects confidentiality and integrity, with no direct impact on system availability (T1sts Blog).

As a temporary mitigation measure, users are advised to immediately disable the file preview functionality in uTools settings until a patch is available (T1sts Blog).