16 Vulnerabilities in Apryse WebViewer and Foxit PDF Cloud Services Enable Account Takeover and Data Theft
Researchers at Novee reported 16 vulnerabilities affecting widely deployed PDF platforms Apryse WebViewer (formerly PDFTron) and Foxit PDF cloud services/SDK components, warning they could be exploited for account hijacking, data theft, and in some cases remote code execution. Reported issue classes include DOM-based, stored, and reflected XSS, server-side request forgery (SSRF), path traversal, and OS command injection; testing indicated attackers could trigger exploitation via crafted documents, messages, or URLs, with elevated risk when these viewers are embedded inside authenticated enterprise applications and trusted domains.
Technical details highlighted that Apryse WebViewer spans multiple trust boundaries (a React-based iframe UI ingesting untrusted inputs such as query strings and postMessage, a JavaScript/WebAssembly document engine, and server-side SDK services), and that insufficient validation across these boundaries enabled exploitation paths. The most severe issue described was a critical OS command injection (CVSS 9.8) in Foxit’s Node.js signature server component, where a POST body parameter was reportedly concatenated into a command execution path. Both Apryse and Foxit stated the findings were responsibly disclosed and addressed via patches, updates, and configuration changes, with additional security hardening performed during remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Novee publicly discloses 16 zero-days affecting Apryse and Foxit
Novee publicly disclosed the 16 vulnerabilities, highlighting severe issues such as a Foxit PDF SDK for Web Node.js signature server OS command injection, Apryse SSRF, and multiple XSS flaws. The publication warned that exploitation could occur through crafted documents, messages, or URLs, especially in authenticated enterprise deployments.
Apryse and Foxit deploy patches and mitigations
Before the research was published, both vendors coordinated fixes, updates, and configuration changes to address the reported vulnerabilities. The response included patching affected components and strengthening measures such as CSP and postMessage validation.
Apryse and Foxit receive responsible disclosure reports
Novee reported the vulnerabilities to Apryse and Foxit through responsible disclosure before public release. The disclosures covered flaws affecting embedded PDF viewers, cloud services, and related components used in enterprise environments.
Novee Security discovers 16 flaws in Apryse and Foxit PDF platforms
Novee Security identified 16 vulnerabilities across Apryse WebViewer and multiple Foxit PDF cloud and service components. The issues included OS command injection, DOM-based, stored, and reflected XSS, SSRF, and path traversal that could enable code execution, account hijacking, and data theft.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PDF Ecosystem Vulnerabilities Enable One-Click Attacks and PDF Object Injection
Security researchers reported multiple previously unknown weaknesses across the PDF ecosystem that can be exploited through crafted documents. Novee Security’s research into *Foxit* and *Apryse* PDF platforms described **13 vulnerability categories** and **16 exploit paths**, including **critical XSS** and **OS command injection**, with “one-click” scenarios where simply opening a document could trigger compromise and potentially enable account takeover or backend command execution. Separately, a high-severity flaw in the widely used *jsPDF* library was disclosed as **CVE-2026-25755** (CVSS **8.8**), enabling **PDF object injection** via improper sanitization in the `addJS` method. By breaking out of the `/JS (...)` string (e.g., injecting `) >> /Action ...`), an attacker can inject arbitrary PDF structures and actions such as `/OpenAction`, potentially triggering behavior even when JavaScript is disabled in the viewer and enabling document manipulation (e.g., altering `/Annots` or `/Signatures`) across different PDF viewers, including lightweight mobile/embedded parsers.
Mar 21, 2026
Foxit PDF Editor Cloud XSS Vulnerabilities Patched
Foxit released security updates for *Foxit PDF Editor Cloud* (and related *Foxit eSign* components) to address two **cross-site scripting (XSS)** flaws that could allow **arbitrary JavaScript execution** in a victim’s browser when handling crafted content. The issues are tracked as **CVE-2026-1591** and **CVE-2026-1592** (both **CWE-79**) and were attributed to insufficient input validation and improper output encoding that allowed untrusted data to be embedded into the application’s HTML. The vulnerable functionality includes the **File Attachments list** and **Layers panel**, where attackers could inject payloads via crafted attachment filenames or manipulated layer names inside PDFs, requiring **user interaction** (e.g., opening/interacting with malicious documents) and typically **authenticated** access. Both CVEs are rated **moderate severity** with **CVSS v3.0 6.3**; exploitation could expose sensitive information available to the user’s session (e.g., document contents and session data). Foxit’s guidance is to ensure affected services are updated; the most recent referenced update for PDF Editor Cloud was released **February 3, 2026**.
Mar 21, 2026
Multiple Vulnerabilities Disclosed in Foxit PDF Reader and Editor
German authorities published advisories for **multiple vulnerabilities** affecting **Foxit PDF Reader** and **Foxit PDF Editor**, indicating ongoing security issues across the vendor's desktop PDF products. The notices identify separate advisory entries, `2026-0914` and `2026-1256`, covering flaws in both **Reader** and **Editor** and signaling that organizations using Foxit software should review the affected versions and available vendor guidance. The repeated disclosures suggest a broader patch-management concern for enterprises that rely on Foxit for document handling, particularly because PDF applications are common targets for malicious document-based exploitation. Security teams should prioritize validating installed Foxit versions, applying relevant updates, and monitoring for suspicious PDF-related activity on endpoints where Foxit Reader or Editor is deployed.
Apr 27, 2026