{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-13127","assignerOrgId":"14984358-7092-470d-8f34-ade47a7658a2","state":"PUBLISHED","assignerShortName":"Foxit","dateReserved":"2026-06-24T03:01:48.781Z","datePublished":"2026-07-08T07:36:36.349Z","dateUpdated":"2026-07-08T12:13:59.482Z"},"containers":{"cna":{"providerMetadata":{"orgId":"14984358-7092-470d-8f34-ade47a7658a2","shortName":"Foxit","dateUpdated":"2026-07-08T07:36:36.349Z"},"title":"Foxit PDF Editor/Reader Annotation Use-After-Free Remote Code Execution Vulnerability","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-416","description":"CWE-416 Use after free","type":"CWE"}]}],"impacts":[{"descriptions":[{"lang":"en","value":"Potential arbitrary code execution"}]}],"affected":[{"vendor":"Foxit Software Inc.","product":"Foxit PDF Editor","platforms":["Windows"],"versions":[{"status":"affected","version":"Versions 2026.1.1 and earlier"},{"status":"affected","version":"Versions 14.0.4 and earlier"},{"status":"affected","version":"Versions 13.2.4 and earlier"}],"defaultStatus":"unaffected"},{"vendor":"Foxit Software Inc.","product":"Foxit PDF Reader","platforms":["Windows"],"versions":[{"status":"affected","version":"Versions 2026.1.1 and earlier"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"The application opens the PDF file. JavaScript then rewrites the document to modify the page structure, resulting in the invalidation of the page objects. However, the thumbnails still use the invalid page objects, ultimately causing the application to crash.","supportingMedia":[{"type":"text/html","base64":false,"value":"The application opens the PDF file. JavaScript then rewrites the document to modify the page structure, resulting in the invalidation of the page objects. However, the thumbnails still use the invalid page objects, ultimately causing the application to crash."}]}],"references":[{"url":"https://www.foxit.com/support/security-bulletins.html"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"HIGH","baseScore":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}}],"credits":[{"lang":"en","value":"Anonymous working with TrendAI Zero Day Initiative","type":"finder"}],"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-08T12:13:51.030975Z","id":"CVE-2026-13127","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-08T12:13:59.482Z"}}]}}