← back
CVE-2026-13127

Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability

CVSS 7.8 HIGHEPSS 0.1%CWE-416
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.8EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
08 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The application opens the PDF file. JavaScript then rewrites the document to modify the page structure, resulting in the invalidation of the page objects. However, the thumbnails still use the invalid page objects, ultimately causing the application to crash.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H