IrfanView 4.75
Irfan Skiljan ❘ FreewareAndroid iOS Windows Mac Linux
out of 611 votes
Rank 1 among competitors
Here are recurring security questions and related user issues:
Has IrfanView had real, known security vulnerabilities, and were they fixed?
Yes. IrfanView and its plugins have had multiple publicly documented vulnerabilities over the years, and fixes were typically delivered in subsequent releases. Recent examples include CVE-2024-31007, which was a buffer overflow in the 32-bit 4.66 build involving formats.dll and was fixed in version 4.67 in April 2024. There have also been plugin-specific flaws such as CVE-2024-6811 in the WSQ file parser that could lead to remote code execution, as well as older issues like CVE-2017-9530 affecting IrfanView 4.44 and several historical plugin bugs from the early 2010s. Administrators and users should keep both the core app and all plugins current. You can review the official and database write-ups for details: CVE-2024-31007 on cve.org, CVE-2024-31007 on CVE Details, CVE-2024-6811 on NVD, and CVE-2017-9530.
Were IrfanView users exposed to the 2023 WebP (“libwebp”) vulnerability that was exploited in the wild?
Many desktop apps that decode WebP images were affected by CVE-2023-4863, which is a critical heap overflow in libwebp. Whether IrfanView was directly affected depends on the version of the WebP decoder available to IrfanView at the time on a given system, whether via its plugins or installed OS codecs. The broader industry guidance was to update to libwebp 1.3.2 or newer and to keep image-handling software patched, which IrfanView users should also do. For background on the WebP flaw and its security impact across software ecosystems, consult the NVD entry for CVE-2023-4863 and reputable technical analyses such as Cloudflare’s write-up.
Are IrfanView plugins sandboxed, and have plugins themselves been a source of security problems?
IrfanView’s extensibility relies on in-process plugins (standard Windows DLLs) for file formats and effects, and those plugins are not sandboxed. Therefore, they run with the same privileges as IrfanView. Historically, a number of security issues have originated in plugins, including file-parsing vulnerabilities in specific format handlers such as the WSQ parsing issue from 2024 and older format-specific flaws like the XCF plugin overflow noted by Tenable. Users and enterprises should install plugins only from trusted sources and keep them up to date using the official plugins page. For examples and guidance, see the WSQ parsing CVE-2024-6811, the ImXCF/XCF plugin overflow noted by Tenable, and the official IrfanView plugins page.
Have there been very recent IrfanView plugin vulnerabilities that organizations should track?
Yes. In addition to the WSQ parsing bug (CVE-2024-6811), security trackers list multiple 2025 disclosures for the third-party CADImage plugin used with IrfanView, where malformed DWG files could trigger out-of-bounds reads or memory corruption that may lead to code execution. If your environment uses IrfanView to preview or convert DWG files, you should review whether the CADImage plugin is installed and ensure patched versions are deployed or the plugin is disabled or removed pending vendor fixes. See, for instance, CVE-2025-7261 on CVE Details and an OpenCVE tracker view for IrfanView-related CVEs.
Is there a history of DLL hijacking or similar execution-through-loading issues connected to IrfanView?
There is at least one recorded case in public databases, CVE-2017-9530, where IrfanView 4.44 could be crashed or potentially used for code execution via a crafted file, and security communities often catalog software that is susceptible to DLL search-order hijacking. While not every listing implies a currently exploitable state in supported versions, these records reinforce the need to keep IrfanView updated and to avoid opening untrusted files. You can review CVE-2017-9530 and general discussions of DLL search-order risks in software security literature for appropriate hardening measures.
Do antivirus products ever flag IrfanView installers, and does that indicate a compromise?
Occasionally, users have reported antivirus detections against IrfanView installers or residual installer files. Community analyses have typically concluded that these are false positives based on heuristic detections rather than evidence of a supply-chain compromise. The practical advice is to download only from the official site, to verify checksums when available, and to allow antivirus signature updates to clear false detections. An example discussion appears in a Malwarebytes forum thread about an IrfanView false positive.
What are the safest sources to download IrfanView and its plugins, and how can users avoid supply-chain risks and impostor sites?
The safest approach is to download IrfanView from the official website and to obtain plugins directly from the official plugins page maintained by the developer, which publishes SHA-256 checksums and trusted mirrors. Users should avoid third-party portals and “optimizer” repacks that bundle adware. For integrity assurance, you should compare checksums from the official download pages and keep a record of the expected values within your software inventory process. The official sources are the IrfanView downloads page and the official plugins page.
How does IrfanView check for updates, and what should enterprises know about network behavior?
When you choose “Check for updates,” IrfanView opens the project’s website to display the latest version information relative to your installed build. This web-based check means outbound access to IrfanView’s official domains may be necessary for manual update checks if your environment restricts internet access. Enterprises can document this behavior and mediate access appropriately through their proxy or allow-listing processes. For reference, see the help page for “Check for updates” and the online version check page.
Are there very old, but still relevant, IrfanView vulnerabilities that might linger on unmaintained systems?
Yes. Older plugin vulnerabilities—such as the 2012 heap-based overflow in the Jpeg_LS plugin before IrfanView PlugIns 4.34—can still be present on systems that have not been updated in years. Because some organizations image or freeze systems for kiosk or legacy uses, it is prudent to inventory IrfanView versions and plugin DLLs and to remove or update outdated components. Security catalogs maintain lists of these historical issues for reference during audits and cleanup. For example, see the Jpeg_LS plugin overflow prior to 4.34.
Installations
Alternatives
FastStone Image Viewer
FastStone Image Viewer: A versatile and speedy image viewing software.XnView
XnView: A Versatile Image Viewer for All Your NeedsPhotomizer
Transform Your Photos with Photomizer!HP Photosmart Essential
Organize, edit, and print photos easily with HP Photosmart EssentialImage Resizer for Windows
Effortlessly resize images with Image Resizer for Windows!FastStone Photo Resizer
Efficient Photo Resizing Tool with FastStone Photo ResizerLatest Reviews
|
|
Next Toppers
Next Toppers — CBSE-focused study app with live classes and on-demand lessons |
|
|
카카오톡
KakaoTalk: The All-in-One Messaging Platform Connecting People Globally |
|
|
Krita
Revolutionize your digital art with Krita's powerful tools and unique features! |
|
|
PosterMyWall
PosterMyWall — Easy online poster & social media graphic maker with basic mobile app |
|
|
Copernic Desktop Search
Efficient Desktop Search Tool |
|
|
CPU-Z
Get detailed information about your CPU with CPU-Z by CPUID. |
|
|
UpdateStar Premium Edition
Keeping Your Software Updated Has Never Been Easier with UpdateStar Premium Edition! |
|
|
Google Chrome
Fast and Versatile Web Browser |
|
|
Microsoft Edge
A New Standard in Web Browsing |
|
|
Microsoft Visual C++ 2015 Redistributable Package
Boost your system performance with Microsoft Visual C++ 2015 Redistributable Package! |
|
|
Microsoft OneDrive
Streamline Your File Management with Microsoft OneDrive |
|
|
Microsoft Visual C++ 2010 Redistributable
Essential Component for Running Visual C++ Applications |