Description
The embedded JavaScript in the PDF deleted the pages, making the object invalid. The application attempted to perform a write operation on the invalid pop-up annotations, resulting in the program crashing.
Published: 2026-07-08
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when embedded JavaScript deletes pages, leaving annotations invalid. The application then attempts to write to these invalid annotations, causing a crash. The use‑after‑free can be exploited by a crafted PDF, potentially allowing remote code execution, as indicated by the vendor’s classification.

Affected Systems

Foxit PDF Editor and Foxit PDF Reader. No specific version information is provided by the known CNA.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. No EPSS score is available, so the likelihood of exploitation is unknown. The vulnerability is not listed in CISA KEV. The attack vector is inferred to be local via a malicious PDF file supplied to the user or system.

Generated by OpenCVE AI on July 8, 2026 at 15:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Foxit PDF Editor and Foxit PDF Reader to the latest patched versions.
  • Disable or restrict JavaScript execution in PDF files to prevent exploitation.
  • Avoid opening PDFs from untrusted sources or run the viewer in a sandboxed environment.

Generated by OpenCVE AI on July 8, 2026 at 15:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 08:30:00 +0000

Type Values Removed Values Added
Description The embedded JavaScript in the PDF deleted the pages, making the object invalid. The application attempted to perform a write operation on the invalid pop-up annotations, resulting in the program crashing.
Title Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-07-08T12:13:27.791Z

Reserved: 2026-06-24T03:01:45.197Z

Link: CVE-2026-13126

cve-icon Vulnrichment

Updated: 2026-07-08T12:13:07.848Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T15:15:04Z

Weaknesses