Description
When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution.
Published: 2026-06-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Foxit AI’s PDF viewer executes embedded JavaScript within a sandbox environment. When a malicious PDF contains script that attempts to access protected interfaces, the sandbox fails to block certain dangerous calls, permitting the JavaScript to load and run arbitrary code. This defect aligns with CWE‑829, indicating improper restriction of privilege levels, and enables both denial‑of‑service conditions and full remote code execution, giving an attacker the ability to run code with the same privileges as the Foxit AI process.

Affected Systems

Foxit Software Inc. Foxit AI is affected. No specific version citations are provided in the advisory, so all current releases remain at risk until a vendor patch is released.

Risk and Exploitability

The CVSS score of 8.6 denotes a high‑severity vulnerability, exposing applications to exploitation over the network. Based on the description, it is inferred that the attack vector is a user opening a crafted PDF delivered via email or download. The EPSS score is unavailable and the vulnerability is not listed in CISA KEV, suggesting no widely known exploitation yet, but the RCE capability and lack of robust sandboxing make it a potential target once the delivery scenario is achieved.

Generated by OpenCVE AI on June 15, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available security patch or update released by Foxit for Foxit AI that addresses the sandbox failure
  • If a patch is not yet available, disable JavaScript execution in the PDF viewer or configure the sandbox to block external script loading
  • Monitor Foxit’s security bulletins and apply subsequent updates promptly once the issue is resolved

Generated by OpenCVE AI on June 15, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Foxitsoftware
Foxitsoftware foxit Ai
Vendors & Products Foxitsoftware
Foxitsoftware foxit Ai

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Foxit
Foxit ai
CPEs cpe:2.3:a:foxit:ai:*:*:*:*:*:*:*:*
Vendors & Products Foxit
Foxit ai

Mon, 15 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution.
Title DoS + Remote Code Execution via PDF JavaScript in Foxit AI
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-06-15T12:34:17.323Z

Reserved: 2026-06-12T02:37:21.297Z

Link: CVE-2026-12057

cve-icon Vulnrichment

Updated: 2026-06-15T12:34:12.819Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T12:16:23.050

Modified: 2026-06-16T16:43:11.693

Link: CVE-2026-12057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:09:31Z

Weaknesses
  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere