TL;DR
Foxit shipped Foxit PDF Reader 2026.1.2 and PDF Editor 2026.1.2 for Windows. The release fixes 28 security flaws. Twenty of them can lead to arbitrary code execution when someone opens a crafted PDF. So far, no vendor or researcher has confirmed active exploitation or a public proof-of-concept.
Why it matters
Foxit PDF Reader sits on millions of Windows desktops. Therefore, a single document-parsing bug can reach a wide audience. Most of these flaws carry a CVSS 3.0 score of 7.8 and an “Important” rating. Each one lets a rigged file run code in the current user’s context. One update-service bug scores higher, at 8.2, because it can hand an attacker SYSTEM rights.
How the attack works
The core mechanism is familiar. Most of the bugs are use-after-free issues, tracked under CWE-416 (for example, CVE-2026-13126). They trigger when the reader parses a PDF that carries crafted JavaScript. The script frees an internal object, and the program then touches that freed memory. From there, an attacker can redirect execution toward arbitrary code execution.
Other flaws take different routes to the same result. Examples include a type confusion bug, an out-of-bounds write (CVE-2026-57260), and a buffer copy that skips a size check. Yet the entry point stays constant. In every case, the victim must open a malicious PDF first. National CERT teams and the Zero Day Initiative have documented this class in Foxit before, so the pattern is well understood.
Two flaws stand apart
One local privilege escalation flaw, CVE-2026-57239, abuses the Foxit update service. It executes a user-controllable file with elevated privileges. As a result, an unprivileged user can climb to SYSTEM. A separate XML external entity bug can disclose data through crafted XDP documents disguised as PDF files.
Affected versions
On Windows, Foxit PDF Reader 2026.1.1.36485 and earlier are affected. Foxit PDF Editor is affected across many branches. That list covers all 2026.x builds up to 2026.1.1, plus older 2025.x, 2024.x, and 2023.x releases. The 14.x line through 14.0.4 and 13.2.4 and earlier also need the patch.
Patch and mitigation
Update now to version 2026.1.2. Inside the app, open Help, choose About, then click Check for Update. Alternatively, download fresh installers from Foxit’s page.
Until the patch lands, keep Safe Reading Mode turned on. Foxit enables it by default, and it blocks much of the risky JavaScript these flaws rely on. Also, treat PDFs from unknown senders with caution. Together, these habits cut your exposure to arbitrary code execution while you finish the rollout.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.