Skip to main content

Foxit Pdf Reader CVE-2026-3780

| EUVDEUVD-2026-17761 HIGH
Untrusted Search Path (CWE-426)
2026-04-01 Foxit
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 28, 2026 - 14:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 01, 2026 - 01:45 euvd
EUVD-2026-17761
Analysis Generated
Apr 01, 2026 - 01:45 vuln.today
CVE Published
Apr 01, 2026 - 01:40 nvd
HIGH 7.3

DescriptionCVE.org

The application's installer runs with elevated privileges but resolves system executables and DLLs using untrusted search paths that can include user-writable directories, allowing a local attacker to place malicious binaries with the same names and have them loaded or executed instead of the legitimate system files, resulting in local privilege escalation.

AnalysisAI

Installer privilege escalation in Foxit PDF Reader and Foxit PDF Editor allows local authenticated users to execute arbitrary code with elevated system privileges via DLL search path manipulation. The installer's failure to use absolute paths for system executables enables attackers to plant malicious DLLs in user-writable directories that take precedence during installation, exploiting the trusted installer's elevated permissions. EPSS data not available; no public exploit identified at time of analysis; not listed in CISA KEV.

Technical ContextAI

This vulnerability stems from CWE-426 (Untrusted Search Path), a class of weaknesses where applications fail to properly specify the full path to executables or libraries they load. During installation, Foxit PDF products run with elevated Windows privileges (typically SYSTEM or Administrator) but rely on the operating system's default DLL search order, which checks user-writable directories like the current working directory or user-specific temp folders before system directories. An attacker with standard user privileges can pre-position a malicious DLL with a name matching a system library the installer will load (such as version.dll, dwmapi.dll, or other commonly hijacked libraries). When the installer executes, Windows loads the attacker's DLL instead of the legitimate system file, causing that code to execute with the installer's elevated privileges. The affected products per CPE data are Foxit PDF Reader (cpe:2.3:a:foxit_software_inc.:foxit_pdf_reader) and Foxit PDF Editor (cpe:2.3:a:foxit_software_inc.:foxit_pdf_editor), both widely deployed PDF manipulation tools in enterprise and consumer environments. This vulnerability class is particularly dangerous in Windows environments where installers routinely require administrative privileges and DLL search order behavior is well-documented and exploitable.

RemediationAI

Organizations should immediately consult the official Foxit security bulletin at https://www.foxit.com/support/security-bulletins.html to identify patched versions and obtain updated installers that implement secure DLL loading practices, such as using absolute paths or calling SetDllDirectory/SetDefaultDllDirectories Windows APIs to restrict search paths. Specific patched version numbers are not provided in available data, requiring direct verification from the vendor advisory. As an interim mitigation, restrict installer execution to administrators on dedicated clean systems, ensure installation directories and parent folders have appropriate permissions preventing standard users from writing files, and deploy Foxit products via enterprise management tools that control the installation environment rather than allowing end-users to run installers directly. Consider implementing Windows Defender Application Control or AppLocker policies to prevent execution of unsigned DLLs from user-writable directories during installation processes. Organizations should prioritize upgrading to patched versions once identified in the vendor bulletin, as workarounds provide only partial risk reduction against determined local attackers.

CVE-2026-57240 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor lets a crafted PDF containing JavaScript trigg

CVE-2026-13126 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1/14.0.4 and earlier) allows

CVE-2026-13127 HIGH
7.8 Jul 08

Denial-of-service (and potential memory-corruption) in Foxit PDF Editor (≤14.0.4 / ≤13.2.4 / ≤2026.1.1) and Foxit PDF Re

CVE-2026-13128 HIGH
7.8 Jul 08

Denial-of-service in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1 and earlier) occurs when a victim opens a

CVE-2026-13129 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader and Foxit PDF Editor (versions 2026.1.1, 13.2.4, 14.0.4 and earlier) allows attack

CVE-2026-57238 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader and Foxit PDF Editor allows a crafted PDF to trigger a use-after-free through the

CVE-2026-57242 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Reader (2026.1.1 and earlier) and Foxit PDF Editor (through 14.0.4, 13.2.4

CVE-2026-57245 HIGH
7.8 Jul 08

Memory corruption in Foxit PDF Reader (≤2026.1.1) and Foxit PDF Editor (≤14.0.4, ≤13.2.4, and ≤2026.1.1) allows an attac

CVE-2026-57246 HIGH
7.8 Jul 08

Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin pr

CVE-2026-57248 HIGH
7.8 Jul 08

Memory-corruption crash (and potential code execution) in Foxit PDF Reader and Foxit PDF Editor occurs when a PDF's embe

CVE-2026-57249 HIGH
7.8 Jul 08

Use-after-free memory corruption in Foxit PDF Editor and Foxit PDF Reader allows a crafted PDF to crash the application

CVE-2026-57251 HIGH
7.8 Jul 08

Denial of service in Foxit PDF Editor and Foxit PDF Reader arises when the application renders a PDF containing cloud-st

Share

CVE-2026-3780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy