PDF Zero-Day Vulnerabilities: Apryse WebViewer (formerly PDFTron) and Foxit PDF cloud services have 16 zero-day vulnerabilities that impact millions of enterprise users globally This article explores vulnerabilities foxit platform. . These vulnerabilities include critical OS Command Injection, DOM-based XSS, SSRF, and Path Traversal flaws.

In order to demonstrate scalable zero-day discovery across extensively used, intricate PDF platforms, Novee Security disclosed its AI-augmented human-agent research workflow. Patches or mitigations have been coordinated before publication, and both Apryse and Foxit were informed under responsible disclosure. A React-based UI iframe that accepts untrusted input from query strings, postMessage, remote JSON configuration, and URL fragments; a JavaScript/WebAssembly document engine that handles parsing and rendering; and a server-side SDK for HTML-to-PDF conversion and thumbnail generation comprise the attack surface and research methodology of Apryse WebViewer.

Annotation created by Novee The identified vulnerabilities were caused by a failure to validate input that crossed the specific trust boundaries represented by each layer. Ten more Stored XSS vulnerabilities throughout Foxit's platform, including those in the Portfolio feature, Page Templates, Layer Import, Predefined Text, Trusted Certificates, Digital ID Common Name, Attachments, and eSign subdomains, as well as a WAF bypass variant in the Collaboration feature, complete the disclosure.

# Vendor Vulnerability Severity CVE ID 1 Apryse DOM XSS via uiConfig Critical CVE-2025-70402 2 Apryse DOM XSS via author field annotation High Apryse CVE-2025-70401 High CVE-2025-70400 4: Full-read SSRF via iFrame rendering Medium CVE-2025-66500 5 Foxit Stored XSS via Portfolio feature Foxit DOM XSS via postMessage handler Foxit Stored XSS in Page Templates Medium CVE-2025-66501 7 Medium CVE-2025-66520 6 Foxit Stored XSS via Trusted Certificates Medium CVE-2025-66521 10 Foxit Stored XSS in Layer Import Medium CVE-2025-66502 8 Foxit Stored XSS in Predefined Text Medium CVE-2025-66519 9 Foxit Three Reflected XSS in na1.foxitesign.foxit.com Foxit Stored XSS via Digital ID Common Name Medium CVE-2025-66522 Foxit Stored XSS via Attachments for Medium CVE-2025-66523 12 Feature Medium CVE-2026-1591 13 Foxit Stored XSS through the creation of a new layer field The collaboration feature of Medium CVE-2026-1592 14 Foxit Path Traversal Elevated 15 Foxit Stored XSS (WAF Bypass) was not assigned using the Medium Collaboration feature. 16 Foxit OS Command Injection is not assigned in the PDF SDK for Web Critical. Enterprise teams and unassigned users who use Apryse WebViewer or Foxit PDF SDK for Web should install the latest patches right away, check server-side signature deployments for the switch-based input validation's missing default case, and strictly enforce the Content-Security-Policy and postMessage origin validation for all embedded PDF components.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.