Foxit PDF Editor/Reader XDP XFA XXE arbitrary local file read
Summary
| CVE | CVE-2026-57259 |
|---|---|
| State | PUBLISHED |
| Assigner | Foxit |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-08 09:16:34 UTC |
| Updated | 2026-07-09 14:28:47 UTC |
| Description | The input file does not need to be strictly in a structurally valid PDF format. Instead, after reviewing the content, the original document disguised as a PDF will be sent to the parser. Malicious documents will construct malicious external entities that, through the protocol, point to local paths, thereby allowing access to any local files within the user's permission range. |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from 14984358-7092-470d-8f34-ade47a7658a2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS: 0.002050000 probability, percentile 0.106110000 (date 2026-07-11)
Problem Types: CWE-611 | CWE-611 Improper Restriction of XML External Entity Reference (CWE-611)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 14984358-7092-470d-8f34-ade47a7658a2 | Secondary | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
| 3.1 | CNA | CVSS | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Foxit | Pdf Editor | All | All | All | All |
| Application | Foxit | Pdf Editor | All | All | All | All |
| Application | Foxit | Pdf Editor | All | All | All | All |
| Application | Foxit | Pdf Editor | All | All | All | All |
| Application | Foxit | Pdf Editor | All | All | All | All |
| Application | Foxit | Pdf Editor | All | All | All | All |
| Application | Foxit | Pdf Reader | All | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 2026.1.1 and earlier | Windows |
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 14.0.4 and earlier | Windows |
| CNA | Foxit Software Inc. | Foxit PDF Editor | affected Versions 13.2.4 and earlier | Windows |
| CNA | Foxit Software Inc. | Foxit PDF Reader | affected Versions 2026.1.1 and earlier | Windows |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.foxit.com/support/security-bulletins.html | 14984358-7092-470d-8f34-ade47a7658a2 | www.foxit.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Trung Nguyen (@everping) of CyStack (en)
There are currently no legacy QID mappings associated with this CVE.