CVE-2026-12057

Vulnerability

Foxit AI (https://ai.foxit.com/) contains a sandbox escape vulnerability identified as CVE-2026-12057. When the application executes JavaScript embedded in a PDF within its sandbox, it fails to intercept some dangerous interfaces, allowing remote scripts to be loaded. This affects Foxit AI prior to the security update released on June 15, 2026 [1].

Exploitation

An attacker can craft a malicious PDF containing JavaScript that abuses the unblocked interfaces to load remote scripts. No authentication is required beyond convincing the victim to open the PDF with the affected Foxit AI application. The sandbox bypass occurs at the moment the embedded script executes and successfully loads a remote payload [1].

Impact

Successful exploitation leads to arbitrary code execution outside the sandbox, in the context of the user running Foxit AI. This gives the attacker the same privileges as the logged-in user, potentially leading to full compromise of the host system, data theft, or further lateral movement [1].

Mitigation

Foxit released a security update on June 15, 2026 that addresses the issue. No customer action is required for Foxit AI as the update is applied server-side. Users should ensure they are running the latest version of the service. No workarounds are provided; the fix is the definitive mitigation [1].