XML External Entity injection in Foxit PDF Editor (formerly Foxit PhantomPDF) and Foxit PDF Reader for Windows - CVE-2026-57259
Published: July 8, 2026
Foxit PDF Editor (formerly Foxit PhantomPDF)
Foxit PDF Reader for Windows
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper restriction of XML external entity reference in XDP/XML parsing in Foxit PDF Reader and Foxit PDF Editor when parsing crafted XDP documents disguised as PDF files. A remote attacker can trick the victim into opening a crafted file to disclose sensitive information.
User interaction is required to open a crafted file.