UAF in Foxit PDF Editor/Reader via XFA calculate event

5.5 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Description

A crafted XFA PDF can trigger a use-after-free condition during calculate event processing, causing the application to crash and resulting in an arbitrary code execution.

Basic Information

ID CVE-2026-5939

Source Foxit

Published Apr 27, 2026 at 11:00

Affected Product

Vendor Foxit Software Inc.

Product Foxit PDF Editor

Version Versions 2026.1 and earlier

Affected Versions Foxit Software Inc. Foxit PDF Editor Versions 2026.1 and earlier
Foxit Software Inc. Foxit PDF Editor Versions 14.0.3 and earlier
Foxit Software Inc. Foxit PDF Reader Versions 2026.1 and earlier

CWE Classification

CWE-416

References

www.foxit.com /support/security-bulletins.html

{
    "lastseen": "",
    "description": "A crafted XFA PDF can trigger a use-after-free condition during calculate event processing, causing the application to crash and resulting in an arbitrary code execution.",
    "published": "2026-04-27T11:00:29.102Z",
    "modified": "2026-04-27T11:00:29.102Z",
    "type": "cve",
    "title": "UAF in Foxit PDF Editor/Reader via XFA calculate event",
    "source": "Foxit",
    "references": "https://www.foxit.com/support/security-bulletins.html",
    "id": "CVE-2026-5939",
    "bulletinFamily": "",
    "cwe": [
        "CWE-416"
    ],
    "cvelist": null,
    "sourceData": "Foxit Software Inc. Foxit PDF Editor Versions 2026.1 and earlier\nFoxit Software Inc. Foxit PDF Editor Versions 14.0.3 and earlier\nFoxit Software Inc. Foxit PDF Reader Versions 2026.1 and earlier",
    "sourceHref": "",
    "cvss": {
        "score": 5.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Foxit PDF Editor",
    "version": "Versions 2026.1 and earlier",
    "vendor": "Foxit Software Inc.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

UAF in Foxit PDF Editor/Reader via XFA calculate event_CVE-2026-5939