Takeover Flaw in Foxit's AI PDF Tool: CVE-2026-12057, a Crafted PDF Can Lead to Remote Code Execution
Foxit AI, the browser-based AI PDF service, has a takeover flaw (CVE-2026-12057, severity 8.6). Feeding it a crafted PDF lets instructions hidden inside the file call out to an external program and run attacker code. Foxit applied a fix on June 15, 2026, and there are no reports of abuse so far.
Makoto Horikawa
Backend Engineer / AWS / Django
Foxit AI, the browser-based AI PDF service, has a takeover flaw (CVE-2026-12057, severity 8.6). Feeding it a crafted PDF lets instructions hidden inside the file call out to an external program and run attacker code. Foxit applied a fix on June 15, 2026, and there are no reports of abuse so far.
Foxit AI, the browser-based service that lets you have an AI read, summarize, and translate your PDFs, has a flaw that can let an attacker take over the machine or server behind it. Tracked as CVE-2026-12057, it carries a severity of 8.6 out of 10 (High). Feed it a booby-trapped PDF and the instructions hidden inside that PDF can reach out to an external program and run actions that were supposed to be blocked.
On June 15, 2026, vendor Foxit disclosed the issue in its security bulletin and says it shipped a fix the same day. There are no reports of real-world abuse yet, but PDFs are files you open every day at work and at home. Here is what is dangerous, and how to tell whether you are affected.
✓ What is confirmed so far
- ✓The affected product is Foxit AI (ai.foxit.com); the flaw is in how it handles instructions embedded in PDFs (NVD)
- ✓Severity is 8.6 of 10; the class is trusting and pulling in functionality from an untrusted source (CWE-829)
- ✓Foxit disclosed the issue on June 15, 2026 and says it applied a fix the same day (Foxit)
- ✓Credited to researcher "mrfathoni." No known exploitation and no KEV listing as of now
What kind of service is Foxit AI
Foxit is the company behind the free "Foxit PDF Reader" and the paid "Foxit PDF Editor." As an alternative to Adobe Acrobat, its products are widely used by businesses and government offices, including in Japan.
Foxit AI is the AI feature that grew out of that lineup. You open a PDF in your browser and tell it "summarize this contract" or "translate this document into Japanese," and the AI reads the contents and answers. You do not need to swap out the software on your machine; you just drop a file in and go.
The convenience has a flip side: services like this make it easy to keep feeding in PDFs of unknown origin just to let the AI read them. This vulnerability sits squarely in that "reading it in" step.
Who Slips You the PDF in a Job That Is Just "Let the AI Read It"
Rather than staring at the number 8.6, it is more chilling to recall where the PDFs you and your company toss into an AI every day actually come from — and how rarely anyone questions them. What suits an attacker here is precisely that a PDF travels from hand to hand like an unsuspected sheet of paper.
The people slipping you a crafted PDF are not necessarily genius hackers in a faraway country. The more vivid ones are fraud rings emailing a "quote" or "invoice" PDF while posing as a supplier, industrial spies dropping in a "résumé" while impersonating HR, operators who plant poisoned files on free template download sites, and intruders who hijack a coworker's account and slide a fake document into a shared folder. What they are after is not abstract "data" but the things with concrete names that the AI tool is touching right now: the contract, the figure on a quote, the unreleased proposal, the internal password list, the customer records. The instant you let it read one crafted PDF, the key to the AI's workroom passes to them, and they use it as a corridor to take over the server itself.
In security terms, this is the classic abuse of a "trusted courier." Because a PDF moves around inside and outside a company without raising suspicion, sending it as an email attachment or a chat link gets it opened without caution. The information wanted for the reconnaissance phase before the real attack is also right there, in the pile of documents fed in for summarizing. Once this path is pried open, the same trick can be reused on the next target and on business partners, again and again. Whether the goal is an impersonation email or a foothold into internal systems, having the entry point be nothing more than "let it read a PDF" is, from the attacker's side, an ideal condition.
The figure "8.6" only marks technical severity. The files you ask an AI to summarize or translate are, by their nature, often the ones you have no time to read in full so you hand them off, or the ones you want processed quickly precisely because you would rather they not be seen. What is really lost is not "one server" but the trust of the counterparties named in that pile of documents, the plans not yet made public, and the information about other people you were entrusted with.
CVE-2026-12057: when instructions inside a PDF reach the outside world
A PDF is not just "a picture of a page." It can carry small programs (JavaScript) inside and run them automatically when opened. Originally a useful feature, it powers things like form validation and what happens when you press a button.
Features that carry such risk are, as a rule, supposed to run only inside a sandbox — an "isolated box." It is a safety device: whatever happens inside the box, it cannot reach the actual PC or server outside.
With CVE-2026-12057, however, Foxit AI had set up that box but left some of the dangerous exits to the outside unsealed. As a result, instructions planted in a PDF could call out to another program outside the box (a remote script), and ultimately the attacker's own routine runs as-is. The NVD description states that "when the application executes the JavaScript embedded in the PDF within the sandbox, it fails to intercept some dangerous interfaces, which allows remote scripts to be loaded, resulting in arbitrary code execution." It is classified as trusting and pulling in functionality from an untrusted source (CWE-829).
The technical scoring (CVSS vector) is AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. It looks daunting, but the gist is this: all it takes is for a user to load a PDF the attacker prepared (UI:R); it crosses out of the isolation box (S:C); and the impact on stealing, tampering, and destroying information is all at the maximum (C:H/I:H/A:H). No login and no special privileges are needed. The fact that the damage is complete just from "opening it" or "letting it read" is the type most feared in file-handling software.
Are you affected, and what should you do
The affected product here is specifically Foxit AI. Someone who only "opens and prints" with the desktop Foxit PDF Reader or Editor is not suddenly at risk from this one issue alone. Here is who is affected and what to do, by how you use it.
| How you use it | Affected by CVE-2026-12057 | What to do |
|---|---|---|
| Foxit AI in the browser | Affected | Foxit applied a fix on June 15; generally no action needed |
| Via the AI assistant inside a Foxit product | Possibly affected | Update the app to the latest version |
| Foxit PDF Reader / Editor (no AI feature) | Not directly targeted by this CVE | Keep updated as general hygiene |
| Other vendors' PDF software | Not affected | — |
Because Foxit AI runs in the browser, the fix is applied on Foxit's servers. Users do not need to reinstall anything, and it appears to be in a patched state already. If, however, you use a desktop Foxit product with its AI assistant built in, updating the app to the latest version is the safe move. Foxit publishes update details on an ongoing basis in its official security bulletins.
On top of that, this is a good moment to revisit the basics that apply to any file-handling software. Do not casually feed an AI a PDF from an email whose sender is unclear, or a free template you found via search. If you use AI tools at work, decide in advance which documents are allowed to be fed in. Habits like these also shrink the damage the next time a similar flaw appears.
This is not Foxit's first PDF flaw
The "owned just by opening it" pattern around PDF software keeps happening, and not only at Foxit. Even within Foxit, in April 2026 a batch of seven flaws (CVE-2026-5937 through CVE-2026-5943) leading to arbitrary code execution and more was disclosed in PDF Editor and Reader, with agencies in several countries urging updates. The history of fixes can also be checked in the CVE database listing.
The same "owned the moment you open a file or a link" type is endless in other software too. On this site we have covered the takeover flaw found in the 7-Zip archiver, the analysis tool Ghidra's "owned just by opening a file," and the Mac video player IINA's takeover via a malicious link. The more routinely you open a file type, the more ideal an entry point it makes for attackers.
Exploitation status, and what to keep an eye on
As of June 15, 2026, there are no reports of CVE-2026-12057 being used in real attacks, and it is not listed in the U.S. government's CISA KEV catalog of vulnerabilities "known to be exploited." You can track the latest status of actively exploited flaws in one place on our CISA KEV dashboard (Japanese).
That said, abusing PDF JavaScript is familiar territory for attackers, and if detailed write-ups of the pre-fix mechanics become public, follow-on abuse remains possible. Foxit says the fix is applied, but on the user side, sticking to the basic rule of "do not feed an AI a PDF of unknown origin" is still the most reliable defense.
References
- ▸ NVD - CVE-2026-12057 (published June 15, 2026)
- ▸ CVE.org - CVE-2026-12057 Record
- ▸ Foxit - Security Bulletins (Foxit AI security update, June 15, 2026)
- ▸ Foxit AI official site
- ▸ MITRE - CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- ▸ CVE Details - Foxit PDF Reader vulnerability list
- ▸ CISA - Known Exploited Vulnerabilities Catalog