Impact
Foxit AI’s PDF viewer executes embedded JavaScript within a sandbox environment. When a malicious PDF contains script that attempts to access protected interfaces, the sandbox fails to block certain dangerous calls, permitting the JavaScript to load and run arbitrary code. This defect aligns with CWE‑829, indicating improper restriction of privilege levels, and enables both denial‑of‑service conditions and full remote code execution, giving an attacker the ability to run code with the same privileges as the Foxit AI process.
Affected Systems
Foxit Software Inc. Foxit AI is affected. No specific version citations are provided in the advisory, so all current releases remain at risk until a vendor patch is released.
Risk and Exploitability
The CVSS score of 8.6 denotes a high‑severity vulnerability, exposing applications to exploitation over the network. Based on the description, it is inferred that the attack vector is a user opening a crafted PDF delivered via email or download. The EPSS score is unavailable and the vulnerability is not listed in CISA KEV, suggesting no widely known exploitation yet, but the RCE capability and lack of robust sandboxing make it a potential target once the delivery scenario is achieved.
OpenCVE Enrichment