ZeroPath at Black Hat USA 2026

Foxit PDF Reader CVE-2026-12057: Brief Summary of JavaScript Sandbox Bypass Leading to Arbitrary Code Execution

A brief summary of CVE-2026-12057, a high severity JavaScript sandbox bypass in Foxit PDF products that allows remote script loading and arbitrary code execution when a user opens a crafted PDF file.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-15

Foxit PDF Reader CVE-2026-12057: Brief Summary of JavaScript Sandbox Bypass Leading to Arbitrary Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A JavaScript sandbox bypass in Foxit PDF products allows attackers to load remote scripts and achieve arbitrary code execution simply by convincing a user to open a crafted PDF file. With a CVSS score of 8.6 and Foxit's claimed installed base of over 700 million users across 485,000 customer organizations, this vulnerability represents a meaningful risk to enterprise environments that rely on Foxit as their primary PDF solution.

Foxit Software, founded in 1996 and headquartered in Fremont, California, develops PDF tools for viewing, editing, signing, and printing PDF documents. The company is widely regarded as the leading alternative to Adobe Acrobat and is commonly deployed across enterprise environments via MSI packages. Foxit was named one of the best software companies on G2's 2025 Best Software Awards and maintains a significant presence in both the SMB and global enterprise markets.

CVE-2026-12057 was published on June 15, 2026. As of that date, no official patch version has been confirmed, no full CVSS vector has been published by the NVD, and no specific affected version ranges have been disclosed.

Technical Information

Root Cause: CWE-829 and the Blocklist Problem

CVE-2026-12057 is classified under CWE-829: Inclusion of Functionality from Untrusted Control Sphere. This weakness occurs when a product imports or includes executable functionality from a source outside its intended control sphere without sufficient protection mechanisms. In this case, Foxit's PDF rendering engine includes a JavaScript execution environment (sandbox) that processes scripts embedded in PDF files. The sandbox is designed to intercept dangerous API calls and prevent untrusted code from interacting with the underlying operating system. However, the sandbox fails to intercept some dangerous interfaces, which allows remote scripts to be loaded and ultimately enables arbitrary code execution.

The core architectural issue is that Foxit's sandbox appears to operate on a blocklist model: specific known dangerous interfaces are individually blocked, while everything else is permitted. This stands in contrast to the CWE-829 recommended mitigation of using an allowlist approach, where only explicitly approved function calls are permitted within the sandbox. Each time a new dangerous interface is discovered that was not on the blocklist, the sandbox can be bypassed.

Historical Dangerous Interfaces in Foxit's JavaScript API

Research into prior Foxit sandbox bypasses has documented several JavaScript API functions that have been exploited in similar attacks. These include:

  • app.launchURL: Used to open URLs, potentially including local file protocol handlers
  • xfa.host.gotoURL: Demonstrated to execute local programs such as cmd.exe by using the file:/// protocol handler; historically not protected by Trust Manager or Safe Reading Mode
  • this.saveAs: Used to drop malicious files (such as .hta HTML applications) onto the local file system
  • xfa.host.exportData: Similarly used for writing files to disk

While the specific interfaces exploited in CVE-2026-12057 have not been publicly disclosed, the vulnerability description confirms the same fundamental pattern: unblocked interfaces enabling remote script loading.

Attack Flow

Based on the vulnerability description and the well documented pattern of prior Foxit sandbox bypasses, the exploitation flow for CVE-2026-12057 follows these steps:

  1. Crafting the malicious PDF: The attacker creates a PDF document containing embedded JavaScript that targets one or more dangerous interfaces not intercepted by the Foxit sandbox.

  2. Delivery: The PDF is delivered to the victim, most commonly via email attachment, a link to a download, or through a compromised document sharing platform. PDF based attacks are particularly effective in phishing campaigns because PDF files are routinely exchanged in business contexts.

  3. Execution within the sandbox: When the victim opens the PDF in Foxit PDF Reader or Editor, the embedded JavaScript executes within the sandbox environment. Under normal circumstances, the sandbox would intercept calls to dangerous APIs and prevent them from executing.

  4. Sandbox bypass via unblocked interfaces: The JavaScript leverages interfaces that the sandbox does not intercept. These unblocked interfaces allow the script to load remote content, specifically external scripts hosted on attacker controlled infrastructure.

  5. Arbitrary code execution: The remotely loaded scripts execute with the privileges of the Foxit process, achieving arbitrary code execution on the victim's system.

Case Study: 2017 Safe Reading Mode Bypass via XFA Events

In 2017, researcher InsertScript documented that Foxit Reader's Safe Reading Mode, which is enabled by default to prohibit script execution, could be bypassed using XFA XML structures. An "initialized" event for a button element triggered so early during PDF parsing that the security mode was not yet applied. This allowed JavaScript to execute before protections were in place, demonstrating a fundamental timing flaw in the sandbox initialization sequence. The xfa.host.gotoURL function was shown to execute cmd.exe via the file:/// protocol, and this.saveAs along with xfa.host.exportData could drop .hta files to disk.

Case Study: 2017 Flash Based Sandbox Escape

Researcher Bjorn Ruytenberg demonstrated that a modified PDF could trigger Foxit Reader to run embedded Flash content outside the Safe Mode sandbox without any user interaction. The attack forced the underlying Flash Player to execute code within the local-trusted sandbox, providing unrestricted access to the victim's file system and remote servers. This affected Foxit Reader and PhantomPDF versions 7.3.4.311 and earlier.

Case Study: 2022 Outdated V8 JavaScript Engine RCE

SEC Consult researcher R. Freingruber discovered that Foxit PDF Reader utilized an outdated version (7.7.299.6, from August 2019) of Google Chrome's V8 JavaScript engine, which was vulnerable to publicly known memory corruption flaws including CVE-2020-6418. The exploit bypassed Foxit's removal of ArrayBuffer and BigUint32Array by using SharedArrayBuffer in conjunction with DataView objects. WebAssembly was then leveraged to allocate a memory region that was both writable and executable, enabling shellcode execution. This was fixed in Foxit version 12.0.1.

CWE-829 is associated with several CAPEC attack patterns, including CAPEC-175 (Code Inclusion), CAPEC-201 (Serialized Data External Linking), and CAPEC-228 (DTD Injection). In the context of PDF based attacks, CAPEC-175 is the most directly relevant: the attacker causes the application to download and execute code from an untrusted source.

Affected Systems and Versions

As of June 15, 2026, the NVD record for CVE-2026-12057 does not specify which Foxit product versions are vulnerable. No fix version has been announced in the Foxit security bulletins. The affected products are Foxit PDF Reader and Foxit PDF Editor based on the nature of the vulnerability (JavaScript sandbox bypass during PDF rendering).

For reference, other recent Foxit CVEs have affected the following version ranges:

CVE IDAffected VersionsFix Version
CVE-2026-5941Foxit PDF Reader/Editor 2026.1.0.36452 and earlierReader 2026.1.1, Editor 2026.1.1/14.0.4
CVE-2026-3777Reader/Editor 2025.3.0.35737 and earlierReader 2026.1, Editor 2026.1
CVE-2025-66493Reader/Editor before 2025.2.1, 14.0.12025.2.1, 14.0.1

Organizations should assume that current and recent versions of Foxit PDF Reader and Editor may be affected until Foxit publishes a specific advisory with version details.

While awaiting an official patch, the following mitigations reduce the attack surface:

  1. Verify Safe Reading Mode is enabled: Navigate to File > Preferences > Trust Manager and confirm "Enable safe reading mode" is checked. This is enabled by default but may have been disabled in some deployments. Note that historical bypasses have shown Safe Reading Mode is not always sufficient, but it raises the exploitation bar.

  2. Disable JavaScript execution entirely: Navigate to File > Preferences > JavaScript and disable JavaScript execution in PDFs. This eliminates the attack vector but will break PDF forms and interactive features that rely on JavaScript.

  3. Restrict PDF sources: Do not open PDF files received from unknown or untrusted senders, particularly via email attachments or downloads from unverified websites.

  4. Deploy endpoint detection: Use endpoint protection solutions to detect and block suspicious child processes spawned by Foxit PDF Reader or Editor, which may indicate exploitation attempts.

  5. Monitor for patches: Check the Foxit Security Bulletins page regularly for an official fix.

Vendor Security History

Foxit has a substantial and recurring history of security vulnerabilities in its JavaScript execution and sandbox implementation. The following table summarizes notable recent CVEs:

CVE IDTypeAffected ProductsFix Version
CVE-2026-5941Arbitrary code execution (invalid memory write)Reader/Editor 2026.1.0.36452 and earlierReader 2026.1.1, Editor 2026.1.1/14.0.4
CVE-2026-3777Use after free with JavaScriptReader/Editor 2025.3.0.35737 and earlierReader 2026.1, Editor 2026.1
CVE-2026-3779Use after freeSame as CVE-2026-3777Same as CVE-2026-3777
CVE-2026-3780Untrusted search path privilege escalationEditor 14.0.2.33402 and earlierEditor 14.0.3
CVE-2026-1591/1592Stored XSS in Foxit PDF Editor CloudFoxit PDF Editor CloudFebruary 3, 2026 update
CVE-2025-66493Use after free in AcroForm handlingReader/Editor before 2025.2.1, 14.0.12025.2.1, 14.0.1
CVE-2025-32451Memory corruptionFoxit PDF Reader 2025.1.0.27937Noted in advisory
CVE-2025-9326/9328Out of bounds read in PRC parsingFoxit PDF ReaderNoted in advisory

This pattern reveals a recurring theme: Foxit's sandbox and JavaScript handling have been repeatedly found wanting, with multiple arbitrary code execution vulnerabilities appearing in the 2025 and 2026 timeframe alone. The 2022 SEC Consult advisory is particularly instructive, as it revealed Foxit was shipping a V8 JavaScript engine version from August 2019 that was vulnerable to publicly known memory corruption flaws. Foxit has also historically declined to patch certain vulnerabilities if they required Safe Reading Mode to be disabled, relying on the sandbox as a sufficient mitigation even when bypasses were known.

The company does maintain a formal vulnerability disclosure process and states that "a prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority." However, the frequency and similarity of these CVEs suggest deeper architectural issues in the JavaScript sandbox implementation, specifically the reliance on a blocklist approach rather than a comprehensive allowlist model.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization