Description
A crafted XFA PDF can trigger a use-after-free condition during calculate event processing, causing the application to crash and resulting in an arbitrary code execution.
Published: 2026-04-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via use‑after‑free
Action: Check for Patch
AI Analysis

Impact

A crafted PDF that contains an XFA form can trigger a use‑after‑free condition during the calculate event handling in Foxit PDF Editor or Foxit PDF Reader. The flaw causes the application to crash and allows arbitrary code execution, enabling the attacker to run arbitrary programs with the privileges of the user launching the file. This vulnerability is a classic use‑after‑free error (CWE‑416).

Affected Systems

The affected products are Foxit PDF Editor and Foxit PDF Reader produced by Foxit Software Inc. Specific version information was not disclosed; therefore all released versions of these applications are considered vulnerable until an official fix is released.

Risk and Exploitability

The CVSS v3.1 score of 5.5 indicates a moderate severity attack. The EPSS score of less than 1% suggests a low likelihood of exploitation at the time of this analysis, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local: an attacker must supply a malicious PDF to a user who opens or views the file. If the user opens a crafted PDF, the application will crash and can execute arbitrary code, potentially compromising the user’s system.

Generated by OpenCVE AI on April 28, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a security patch or update has been released for Foxit PDF Editor or Reader on the Foxit support site and install it promptly.
  • If no patch is available, disable XFA form support in the PDF viewer settings to prevent triggering the vulnerability.
  • As an alternative, use a PDF viewer that does not support XFA, such as a mainstream browser or other PDF reader, until a vendor fix is released.
  • Regularly monitor the Foxit support bulletins and security advisories for updates to this issue.

Generated by OpenCVE AI on April 28, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Foxit
Foxit pdf Editor
Foxit pdf Reader
CPEs cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
Vendors & Products Foxit
Foxit pdf Editor
Foxit pdf Reader

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader
Vendors & Products Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description A crafted XFA PDF can trigger a use-after-free condition during calculate event processing, causing the application to crash and resulting in an arbitrary code execution.
Title UAF in Foxit PDF Editor/Reader via XFA calculate event
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Foxit Pdf Editor Pdf Reader
Foxitsoftware Foxit Pdf Editor Foxit Reader
cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-04-28T12:50:41.920Z

Reserved: 2026-04-09T03:42:09.733Z

Link: CVE-2026-5939

cve-icon Vulnrichment

Updated: 2026-04-27T13:40:21.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T12:16:24.263

Modified: 2026-04-29T17:28:10.207

Link: CVE-2026-5939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses