CVE-2026-12057 | When the application executes the JavaScript script embedded… | CVSS 8.6 HIGH

Description

When the application executes the JavaScript script embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution.

Metadata

CVE ID: CVE-2026-12057
State: PUBLISHED
Assigner: Foxit
Reserved: 2026-06-12 02:37 UTC
Published: 2026-06-15 10:21 UTC
Last updated: 2026-06-15 12:34 UTC
Primary CWE: CWE-829
CWE-829 Inclusion of functionality from untrusted control sp…
Vendor / Product: Foxit Software Inc. / Foxit AI
Sources: cve.org · NVD

Severity & Metrics

8.6 HIGH CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Foxit Software Inc.	Foxit AI	—	before 2026-06-15

Weakness (CWE)

CWE	Source	Description
CWE-829	cna	CWE-829 Inclusion of functionality from untrusted control sphere

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.6	HIGH	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References (1)

https://www.foxit.com/support/security-bulletins.html