Description
Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes.
Published: 2026-04-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw that can be triggered by calling a function that refreshes the UI after comments are removed via script. The flaw can lead to program crashes.

Affected Systems

The flaw affects Foxit Software Inc.’s Foxit PDF Editor and Foxit PDF Reader. Specific vulnerable versions are not listed in the advisory, so all current releases should be checked against the vendor’s update schedule.

Risk and Exploitability

The CVSS score is 7.8, reflecting a high severity; the EPSS score is below 1%, indicating the likelihood of exploitation is low but not zero, and it is not currently listed in the CISA KEV catalog. The flaw can be exploited by delivering a malicious or script‑laden PDF to a user, triggering the UI refresh path after comment deletion, which could crash the application.

Generated by OpenCVE AI on April 28, 2026 at 13:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch or update Foxit PDF Editor and Reader to the most recent version as recommended by the vendor.
  • Disable or restrict JavaScript execution in PDFs if possible, or use a sandboxed viewer when handling untrusted documents.
  • If a patch is unavailable immediately, consider removing or disabling the annotation comment removal functionality or preventing scripts that modify comments from executing.

Generated by OpenCVE AI on April 28, 2026 at 13:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Foxit
Foxit pdf Editor
Foxit pdf Reader
CPEs cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
Vendors & Products Foxit
Foxit pdf Editor
Foxit pdf Reader

Tue, 28 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader
Vendors & Products Foxitsoftware
Foxitsoftware foxit Pdf Editor
Foxitsoftware foxit Reader

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Calling a function that triggers a UI refresh after removing comments via a script may access an invalidated object, leading to program crashes.
Title Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Foxit Pdf Editor Pdf Reader
Foxitsoftware Foxit Pdf Editor Foxit Reader
cve-icon MITRE

Status: PUBLISHED

Assigner: Foxit

Published:

Updated: 2026-04-28T03:55:22.371Z

Reserved: 2026-04-09T03:42:11.434Z

Link: CVE-2026-5940

cve-icon Vulnrichment

Updated: 2026-04-27T13:40:18.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T12:16:24.377

Modified: 2026-04-29T17:26:50.220

Link: CVE-2026-5940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses