Foxit PDF and Editor Arbitrary HTML Injection Vulnerability

A vulnerability allowing arbitrary HTML injection has been identified in Foxit PDF Reader and Foxit PDF Editor for both Windows and macOS. This issue affects several different versions and stems from the application's StartPage feature, which loads static HTML files from a user-writable location without proper validation. An attacker who can modify these HTML files could inject malicious content that the application would execute upon startup, potentially leading to information disclosure or unauthorized data access.

Impact

Exploitation of this vulnerability could result in arbitrary HTML injection, allowing attackers to execute malicious HTML or JavaScript in the context of the application.

Remediation

Users can update to the latest versions of Foxit PDF Reader or Foxit PDF Editor. For Windows, the updated versions are Foxit PDF Reader 2025.2.1 and Foxit PDF Editor 2025.2.1/14.0.1/13.2.1. For Mac, users can update to Foxit PDF Reader for Mac 2025.2.1 or Foxit PDF Editor for Mac 2025.2.1/14.0.1/13.2.1.