CVE-2026-3778

EUVD-2026-17757
The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.2 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
foxitpdf_editor
𝑥
≤ 13.2.2.24014
foxitpdf_editor
14.0.0.33046 ≤
𝑥
≤ 14.0.2.33402
foxitpdf_editor
2023.1.0.15510 ≤
𝑥
≤ 2023.3.0.23028
foxitpdf_editor
2024.1.0.23997 ≤
𝑥
≤ 2024.4.1.27687
foxitpdf_editor
2025.1.0.27937 ≤
𝑥
≤ 2025.3.0.35737
foxitpdf_reader
𝑥
≤ 2025.3.0.35737
foxitpdf_editor
𝑥
≤ 13.2.2.63349
foxitpdf_editor
14.0.0.68868 ≤
𝑥
≤ 14.0.2.69164
foxitpdf_editor
2023.1.0.55583 ≤
𝑥
≤ 2023.3.0.63083
foxitpdf_editor
2024.1.0.63682 ≤
𝑥
≤ 2024.4.1.66479
foxitpdf_editor
2025.1.0.66692 ≤
𝑥
≤ 2025.3.0.69570
foxitpdf_reader
𝑥
≤ 2025.3.0.69570
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.foxit.com/support/security-bulletins.html