CVE-2026-3778

Summary

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.

Affected Software

VendorProductVersion RangeStatus
Foxit Software Inc.Foxit PDF EditorVersions 2025.3 and earlieraffected
Foxit Software Inc.Foxit PDF EditorVersions 14.0.2 and earlieraffected
Foxit Software Inc.Foxit PDF EditorVersions 13.2.2 and earlieraffected
Foxit Software Inc.Foxit PDF ReaderVersions 2025.3 and earlieraffected

Weaknesses

  • CWE-674: CWE-674: Uncontrolled Recursion

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References