Introduction
A JavaScript sandbox bypass in Foxit PDF products allows attackers to load remote scripts and achieve arbitrary code execution simply by convincing a user to open a crafted PDF file. With a CVSS score of 8.6 and Foxit's claimed installed base of over 700 million users across 485,000 customer organizations, this vulnerability represents a meaningful risk to enterprise environments that rely on Foxit as their primary PDF solution.
Foxit Software, founded in 1996 and headquartered in Fremont, California, develops PDF tools for viewing, editing, signing, and printing PDF documents. The company is widely regarded as the leading alternative to Adobe Acrobat and is commonly deployed across enterprise environments via MSI packages. Foxit was named one of the best software companies on G2's 2025 Best Software Awards and maintains a significant presence in both the SMB and global enterprise markets.
CVE-2026-12057 was published on June 15, 2026. As of that date, no official patch version has been confirmed, no full CVSS vector has been published by the NVD, and no specific affected version ranges have been disclosed.
Technical Information
Root Cause: CWE-829 and the Blocklist Problem
CVE-2026-12057 is classified under CWE-829: Inclusion of Functionality from Untrusted Control Sphere. This weakness occurs when a product imports or includes executable functionality from a source outside its intended control sphere without sufficient protection mechanisms. In this case, Foxit's PDF rendering engine includes a JavaScript execution environment (sandbox) that processes scripts embedded in PDF files. The sandbox is designed to intercept dangerous API calls and prevent untrusted code from interacting with the underlying operating system. However, the sandbox fails to intercept some dangerous interfaces, which allows remote scripts to be loaded and ultimately enables arbitrary code execution.
The core architectural issue is that Foxit's sandbox appears to operate on a blocklist model: specific known dangerous interfaces are individually blocked, while everything else is permitted. This stands in contrast to the CWE-829 recommended mitigation of using an allowlist approach, where only explicitly approved function calls are permitted within the sandbox. Each time a new dangerous interface is discovered that was not on the blocklist, the sandbox can be bypassed.
Historical Dangerous Interfaces in Foxit's JavaScript API
Research into prior Foxit sandbox bypasses has documented several JavaScript API functions that have been exploited in similar attacks. These include:
app.launchURL: Used to open URLs, potentially including local file protocol handlersxfa.host.gotoURL: Demonstrated to execute local programs such ascmd.exeby using thefile:///protocol handler; historically not protected by Trust Manager or Safe Reading Modethis.saveAs: Used to drop malicious files (such as.htaHTML applications) onto the local file systemxfa.host.exportData: Similarly used for writing files to disk
While the specific interfaces exploited in CVE-2026-12057 have not been publicly disclosed, the vulnerability description confirms the same fundamental pattern: unblocked interfaces enabling remote script loading.
Attack Flow
Based on the vulnerability description and the well documented pattern of prior Foxit sandbox bypasses, the exploitation flow for CVE-2026-12057 follows these steps:
-
Crafting the malicious PDF: The attacker creates a PDF document containing embedded JavaScript that targets one or more dangerous interfaces not intercepted by the Foxit sandbox.
-
Delivery: The PDF is delivered to the victim, most commonly via email attachment, a link to a download, or through a compromised document sharing platform. PDF based attacks are particularly effective in phishing campaigns because PDF files are routinely exchanged in business contexts.
-
Execution within the sandbox: When the victim opens the PDF in Foxit PDF Reader or Editor, the embedded JavaScript executes within the sandbox environment. Under normal circumstances, the sandbox would intercept calls to dangerous APIs and prevent them from executing.
-
Sandbox bypass via unblocked interfaces: The JavaScript leverages interfaces that the sandbox does not intercept. These unblocked interfaces allow the script to load remote content, specifically external scripts hosted on attacker controlled infrastructure.
-
Arbitrary code execution: The remotely loaded scripts execute with the privileges of the Foxit process, achieving arbitrary code execution on the victim's system.
Case Study: 2017 Safe Reading Mode Bypass via XFA Events
In 2017, researcher InsertScript documented that Foxit Reader's Safe Reading Mode, which is enabled by default to prohibit script execution, could be bypassed using XFA XML structures. An "initialized" event for a button element triggered so early during PDF parsing that the security mode was not yet applied. This allowed JavaScript to execute before protections were in place, demonstrating a fundamental timing flaw in the sandbox initialization sequence. The xfa.host.gotoURL function was shown to execute cmd.exe via the file:/// protocol, and this.saveAs along with xfa.host.exportData could drop .hta files to disk.
Case Study: 2017 Flash Based Sandbox Escape
Researcher Bjorn Ruytenberg demonstrated that a modified PDF could trigger Foxit Reader to run embedded Flash content outside the Safe Mode sandbox without any user interaction. The attack forced the underlying Flash Player to execute code within the local-trusted sandbox, providing unrestricted access to the victim's file system and remote servers. This affected Foxit Reader and PhantomPDF versions 7.3.4.311 and earlier.
Case Study: 2022 Outdated V8 JavaScript Engine RCE
SEC Consult researcher R. Freingruber discovered that Foxit PDF Reader utilized an outdated version (7.7.299.6, from August 2019) of Google Chrome's V8 JavaScript engine, which was vulnerable to publicly known memory corruption flaws including CVE-2020-6418. The exploit bypassed Foxit's removal of ArrayBuffer and BigUint32Array by using SharedArrayBuffer in conjunction with DataView objects. WebAssembly was then leveraged to allocate a memory region that was both writable and executable, enabling shellcode execution. This was fixed in Foxit version 12.0.1.
Related Attack Patterns
CWE-829 is associated with several CAPEC attack patterns, including CAPEC-175 (Code Inclusion), CAPEC-201 (Serialized Data External Linking), and CAPEC-228 (DTD Injection). In the context of PDF based attacks, CAPEC-175 is the most directly relevant: the attacker causes the application to download and execute code from an untrusted source.
Affected Systems and Versions
As of June 15, 2026, the NVD record for CVE-2026-12057 does not specify which Foxit product versions are vulnerable. No fix version has been announced in the Foxit security bulletins. The affected products are Foxit PDF Reader and Foxit PDF Editor based on the nature of the vulnerability (JavaScript sandbox bypass during PDF rendering).
For reference, other recent Foxit CVEs have affected the following version ranges:
| CVE ID | Affected Versions | Fix Version |
|---|---|---|
| CVE-2026-5941 | Foxit PDF Reader/Editor 2026.1.0.36452 and earlier | Reader 2026.1.1, Editor 2026.1.1/14.0.4 |
| CVE-2026-3777 | Reader/Editor 2025.3.0.35737 and earlier | Reader 2026.1, Editor 2026.1 |
| CVE-2025-66493 | Reader/Editor before 2025.2.1, 14.0.1 | 2025.2.1, 14.0.1 |
Organizations should assume that current and recent versions of Foxit PDF Reader and Editor may be affected until Foxit publishes a specific advisory with version details.
Recommended Workarounds
While awaiting an official patch, the following mitigations reduce the attack surface:
-
Verify Safe Reading Mode is enabled: Navigate to File > Preferences > Trust Manager and confirm "Enable safe reading mode" is checked. This is enabled by default but may have been disabled in some deployments. Note that historical bypasses have shown Safe Reading Mode is not always sufficient, but it raises the exploitation bar.
-
Disable JavaScript execution entirely: Navigate to File > Preferences > JavaScript and disable JavaScript execution in PDFs. This eliminates the attack vector but will break PDF forms and interactive features that rely on JavaScript.
-
Restrict PDF sources: Do not open PDF files received from unknown or untrusted senders, particularly via email attachments or downloads from unverified websites.
-
Deploy endpoint detection: Use endpoint protection solutions to detect and block suspicious child processes spawned by Foxit PDF Reader or Editor, which may indicate exploitation attempts.
-
Monitor for patches: Check the Foxit Security Bulletins page regularly for an official fix.
Vendor Security History
Foxit has a substantial and recurring history of security vulnerabilities in its JavaScript execution and sandbox implementation. The following table summarizes notable recent CVEs:
| CVE ID | Type | Affected Products | Fix Version |
|---|---|---|---|
| CVE-2026-5941 | Arbitrary code execution (invalid memory write) | Reader/Editor 2026.1.0.36452 and earlier | Reader 2026.1.1, Editor 2026.1.1/14.0.4 |
| CVE-2026-3777 | Use after free with JavaScript | Reader/Editor 2025.3.0.35737 and earlier | Reader 2026.1, Editor 2026.1 |
| CVE-2026-3779 | Use after free | Same as CVE-2026-3777 | Same as CVE-2026-3777 |
| CVE-2026-3780 | Untrusted search path privilege escalation | Editor 14.0.2.33402 and earlier | Editor 14.0.3 |
| CVE-2026-1591/1592 | Stored XSS in Foxit PDF Editor Cloud | Foxit PDF Editor Cloud | February 3, 2026 update |
| CVE-2025-66493 | Use after free in AcroForm handling | Reader/Editor before 2025.2.1, 14.0.1 | 2025.2.1, 14.0.1 |
| CVE-2025-32451 | Memory corruption | Foxit PDF Reader 2025.1.0.27937 | Noted in advisory |
| CVE-2025-9326/9328 | Out of bounds read in PRC parsing | Foxit PDF Reader | Noted in advisory |
This pattern reveals a recurring theme: Foxit's sandbox and JavaScript handling have been repeatedly found wanting, with multiple arbitrary code execution vulnerabilities appearing in the 2025 and 2026 timeframe alone. The 2022 SEC Consult advisory is particularly instructive, as it revealed Foxit was shipping a V8 JavaScript engine version from August 2019 that was vulnerable to publicly known memory corruption flaws. Foxit has also historically declined to patch certain vulnerabilities if they required Safe Reading Mode to be disabled, relying on the sandbox as a sufficient mitigation even when bypasses were known.
The company does maintain a formal vulnerability disclosure process and states that "a prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority." However, the frequency and similarity of these CVEs suggest deeper architectural issues in the JavaScript sandbox implementation, specifically the reliance on a blocklist approach rather than a comprehensive allowlist model.
References
- NVD: CVE-2026-12057
- Foxit Security Bulletins
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- CISA Known Exploited Vulnerabilities Catalog
- InsertScript: A Tale About Foxit Reader Safe Reading Mode
- Bjorn Ruytenberg: Foxit Reader Sandbox Bypass
- SEC Consult: Outdated JavaScript Engine Leads to RCE in Foxit PDF Reader
- Foxit KB: How to Disable Safe Reading Mode
- Locklizard: Why Using JavaScript in PDF Files is a Security Risk
- Foxit: Report Security Vulnerabilities
- NVD: CVE-2025-66493
- SentinelOne: CVE-2026-5943
- Action1: CVE-2026-1591



