FoxIT PDF Editor and Reader Multiple Remote Code Execution Vulnerabilities
Summary
CERT-FR published an advisory on 27 April 2026 detailing multiple vulnerabilities in FoxIT PDF products affecting PDF Editor versions prior to 13.2.4, PDF Reader versions 2026.x prior to 2026.1.1, and PDF Reader versions prior to 14.0.4. Seven CVEs (CVE-2026-5937 through CVE-2026-5943) are referenced. The vulnerabilities enable remote code execution, remote denial of service, and data confidentiality breaches. Users are directed to the FoxIT security bulletin for patch information.
“De multiples vulnérabilités ont été découvertes dans les produits FoxIT.”
About this source
CERT-FR is the French government's national cybersecurity incident response team, run by the ANSSI. Their advisory feed publishes vulnerability disclosures, active exploitation warnings, and emergency patching guidance for software in widespread enterprise use: browsers, hypervisors, ERP systems, network equipment, file transfer products. Around 180 advisories a month. The advisories are written in French but cover the same vulnerability universe as CISA, NCSC-UK, BSI's CERT-Bund, and JPCERT, often hours earlier on European-headquartered vendors. Watch this if you patch enterprise software, run a SOC, write detection content, or track Schneider, Dassault, OVH, Atos, or any French-vendor advisory faster than English-language sources will surface it. GovPing publishes each advisory with the affected vendor, severity, and CERT-FR link.
What changed
CERT-FR disclosed multiple vulnerabilities in FoxIT PDF Editor and PDF Reader software spanning three affected version ranges. The vulnerabilities carry three distinct risk categories: remote arbitrary code execution, remote denial of service, and data confidentiality compromise. Seven CVE identifiers (CVE-2026-5937 through CVE-2026-5943) are associated with this disclosure.
Organizations and individual users running FoxIT PDF Editor or PDF Reader in any of the affected version ranges should prioritize obtaining and applying the vendor-issued patches referenced in the FoxIT security bulletin. Given the severity of remote code execution risk, patching should be treated as a time-sensitive security measure regardless of whether the software handles sensitive documents.
Archived snapshot
Apr 27, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Premier Ministre S.G.D.S.N
Agence nationale
de la sécurité des
systèmes d'information
Paris, le 27 avril 2026 N° CERTFR-2026-AVI-0501 Affaire suivie par: CERT-FR
Avis du CERT-FR
Objet: Multiples vulnérabilités dans les produits FoxIT
Gestion du document
| Référence | CERTFR-2026-AVI-0501 |
| Titre | Multiples vulnérabilités dans les produits FoxIT |
| Date de la première version | 27 avril 2026 |
| Date de la dernière version | 27 avril 2026 |
| Source(s) | Bulletin de sécurité FoxIT security-bulletins.php du 27 avril 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.
Risques
- Atteinte à la confidentialité des données
- Déni de service à distance
- Exécution de code arbitraire à distance
Systèmes affectés
- PDF Editor versions antérieures à 13.2.4
- PDF Reader versions 2026.x antérieures à 2026.1.1
- PDF Reader versions antérieures à 14.0.4
Résumé
De multiples vulnérabilités ont été découvertes dans les produits FoxIT. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Documentation
- Bulletin de sécurité FoxIT security-bulletins.php du 27 avril 2026
- https://www.foxitsoftware.com/support/security-bulletins.php
- Référence CVE CVE-2026-5937
- https://www.cve.org/CVERecord?id=CVE-2026-5937
- Référence CVE CVE-2026-5938
- https://www.cve.org/CVERecord?id=CVE-2026-5938
- Référence CVE CVE-2026-5939
- https://www.cve.org/CVERecord?id=CVE-2026-5939
- Référence CVE CVE-2026-5940
- https://www.cve.org/CVERecord?id=CVE-2026-5940
- Référence CVE CVE-2026-5941
- https://www.cve.org/CVERecord?id=CVE-2026-5941
- Référence CVE CVE-2026-5942
- https://www.cve.org/CVERecord?id=CVE-2026-5942
- Référence CVE CVE-2026-5943
- https://www.cve.org/CVERecord?id=CVE-2026-5943
Gestion détaillée du document
- le 27 avril 2026 Version initiale
Parties
Related changes
Get daily alerts for CERT-FR Security Advisories
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CERT-FR.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CERT-FR Security Advisories publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.