CVE-2026-3778Uncontrolled Recursion in Software INC Foxit PDF Editor

CWE-674Uncontrolled Recursion3 documents3 sources
Severity
6.2MEDIUMNVD
EPSS
0.0%
top 97.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Foxit Software INC Foxit PDF EditorFoxit Software INC Foxit PDF Reader
Timeline
PublishedApr 1

Description

The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF. When pages and annotations are crafted that reference each other in a loop, passing the document to APIs (e.g., SOAP) that perform deep traversal can cause uncontrolled recursion, stack exhaustion, and application crashes.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages2 packages

CVEListV5foxit_software_inc/foxit_pdf_editorVersions 13.2.2 and earlier, Versions 14.0.2 and earlier, Versions 2025.3 and earlier+2
CVEListV5foxit_software_inc/foxit_pdf_readerVersions 2025.3 and earlier

🔴Vulnerability Details

2
CVEList
Stack exhaustion caused by cyclic references in Foxit PDF Editor/Reader2026-04-01
GHSA
GHSA-hfjq-v5wc-856q: The application does not detect or guard against cyclic PDF object references while handling JavaScript in PDF2026-04-01
CVE-2026-3778 — Uncontrolled Recursion | cvebase