DoS + Remote Code Execution via PDF JavaScript in Foxit AI
Summary
| CVE | CVE-2026-12057 |
|---|---|
| State | PUBLISHED |
| Assigner | Foxit |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-15 12:16:23 UTC |
| Updated | 2026-06-16 16:43:11 UTC |
| Description | When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Problem Types: CWE-829 | CWE-829 CWE-829 Inclusion of functionality from untrusted control sphere
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | 14984358-7092-470d-8f34-ade47a7658a2 | Secondary | 8.6 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | CNA | CVSS | 8.6 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Foxit Software Inc. | Foxit AI | affected before 2026-06-15 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.foxit.com/support/security-bulletins.html | 14984358-7092-470d-8f34-ade47a7658a2 | www.foxit.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: mrfathoni (en)
There are currently no legacy QID mappings associated with this CVE.