Skip to main content

Foxit AI CVE-2026-12057

| EUVDEUVD-2026-36715 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-06-15 Foxit GHSA-9jq6-3jwj-jrfh
7.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Foxit) PRIMARY
HIGH
qualitative
NVD
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local file open with user interaction (AV:L, UI:R), no privileges needed (PR:N), low complexity once PDF is opened, and full code execution yields C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Foxit).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jun 16, 2026 - 16:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 16, 2026 - 16:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 16, 2026 - 16:52 vuln.today
cvss_changed
CVSS changed
Jun 16, 2026 - 16:52 NVD
8.6 (HIGH) 7.8 (HIGH)
Analysis Generated
Jun 15, 2026 - 12:24 vuln.today

DescriptionNVD

When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution.

AnalysisAI

Arbitrary code execution in Foxit AI (versions before 2026-06-15) occurs when the application processes JavaScript embedded in a PDF inside its sandbox but fails to intercept dangerous interfaces, permitting remote script loading. A user must open a malicious PDF for exploitation to succeed, and no public exploit identified at time of analysis with EPSS at only 0.13%. SSVC reports total technical impact but no observed exploitation.

Technical ContextAI

Foxit AI integrates JavaScript processing for PDF documents, executing scripts inside a sandbox intended to constrain access to host resources. CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) identifies the root cause: the sandbox does not fully mediate certain JavaScript interfaces, allowing the embedded script to fetch and execute remote payloads from attacker-controlled origins. Affected products per CPE are cpe:2.3:a:foxit_software_inc.:foxit_ai:*:*:*:*:*:*:*:*, indicating all Foxit AI builds prior to the fix date are in scope.

RemediationAI

Patch available per vendor advisory: upgrade Foxit AI to a build dated 2026-06-15 or later per the Foxit security bulletin at https://www.foxit.com/support/security-bulletins.html. Until upgrade is possible, disable JavaScript execution in PDF preferences (this breaks legitimate interactive forms and dynamic content), block opening of PDFs from untrusted sources at the email gateway and web proxy, and restrict outbound network access from the Foxit AI process so the sandbox cannot reach attacker-controlled script hosts - note that endpoint egress filtering may break other legitimate remote-content features. User-awareness reminders to avoid opening unsolicited PDFs are a partial compensating control given the UI:R requirement.

Share

CVE-2026-12057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy