Improper Validation of Array Index in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2026-57251

 

Improper Validation of Array Index in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2026-57251

Published: July 8, 2026


Vulnerability identifier: #VU137073
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-57251
CWE-ID: CWE-129
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Foxit Software Inc.
Affected software:
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Windows

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper validation of array index in Foxit PDF Reader and Foxit PDF Editor when handling certain PDFs embedded with JavaScript to modify annotation attributes. A remote attacker can trick the victim into opening a crafted PDF file to execute arbitrary code.

User interaction is required to open a crafted PDF file.


How to mitigate CVE-2026-57251

Install security update from vendor's website.

Sources