Multiple security vulnerabilities have been identified in Foxit PDF Reader and Foxit PDF Editor. The July 8, 2026 security release addresses a broad set of memory corruption and parsing bugs, including use-after-free, out-of-bounds read and write, buffer copy errors, type confusion, and array index validation issues. Several flaws can be triggered by specially crafted PDF files, including those containing embedded JavaScript, abnormal annotations, malformed page trees, corrupted signature fields, or deceptive XDP content.
CVE-2026-13126 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.[/subscribe_to_unlock_form]
Multiple security vulnerabilities have been identified in Foxit PDF Reader and Foxit PDF Editor. The July 8, 2026 security release addresses a broad set of memory corruption and parsing bugs, including use-after-free, out-of-bounds read and write, buffer copy errors, type confusion, and array index validation issues. Several flaws can be triggered by specially crafted PDF files, including those containing embedded JavaScript, abnormal annotations, malformed page trees, corrupted signature fields, or deceptive XDP content.
CVE-2026-13126 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.[emaillocker id="1283"]
CVE-2026-13127: A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-13128 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-13129: A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57237 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57238: A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57240 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57242: A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57244 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57245: A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57247 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57249: A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57250 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57252: A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57256 (CVSS 7.8 — Severity): A use-after-free vulnerability in Foxit PDF Reader and Editor allows an attacker to run code remotely when a victim opens a malicious PDF.
CVE-2026-57246: A buffer copy without size check vulnerability in Foxit PDF Reader and Editor allows an attacker to execute arbitrary code.
CVE-2026-57248 (CVSS 7.8 — Severity): A release of invalid pointer vulnerability in Foxit PDF Reader and Editor allows an attacker to execute arbitrary code.
CVE-2026-57251: An improper validation of array index vulnerability in Foxit PDF Reader and Editor allows an attacker to execute arbitrary code.
CVE-2026-57254 (CVSS 7.8 — Severity): A type confusion vulnerability in Foxit PDF Reader and Editor allows an attacker to execute arbitrary code.
CVE-2026-57260: An out-of-bounds write vulnerability in Foxit PDF Reader and Editor allows an attacker to execute arbitrary code. These vulnerabilities collectively present a significant risk of remote code execution, information exposure, and privilege escalation. Administrators should update Foxit PDF Reader and Foxit PDF Editor immediately through the in-app “Check for Update” option or by downloading the latest release from its website. These vulnerabilities collectively present a significant risk of remote code execution, information exposure, and privilege escalation.
These vulnerabilities collectively present a significant risk of remote code execution, information exposure, and privilege escalation.
We recommend you to update Foxit PDF Reader 2026.1.2 and Foxit PDF Editor 2026.1.2 for Windows, as well as updated Mac releases.
The following reports contain further technical details:
[/emaillocker]