CVE-2026-57250 PUBLISHED

Foxit PDF Editor/Reader Form Field Use-After-Free Vulnerability

Assigner: Foxit
Reserved: 24.06.2026 Published: 08.07.2026 Updated: 08.07.2026

When the application opens a PDF and JavaScript resets the form fields, the script re-enters the interface. The underlying native object is damaged, but the application does not perform validation. The function call on the damaged object leads to the application crashing.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Product Status

Vendor Foxit Software Inc.
Product Foxit PDF Editor
Versions Default: unaffected
  • Version Versions 2026.1.1 and earlier is affected
  • Version Versions 14.0.4 and earlier is affected
  • Version Versions 13.2.4 and earlier is affected
Vendor Foxit Software Inc.
Product Foxit PDF Editor
Versions Default: unaffected
  • Version Versions 2026.1.1 and earlier is affected
  • Version Versions 14.0.3 and earlier is affected
  • Version Versions 13.2.3 and earlier is affected
Vendor Foxit Software Inc.
Product Foxit PDF Reader
Versions Default: unaffected
  • Version Versions 2026.1.1 and earlier is affected

Credits

  • XuPeng finder

References

Problem Types

  • CWE-416 Use after free CWE

Impacts

  • Potential arbitrary code execution