{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3775", "assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2", "state": "PUBLISHED", "assignerShortName": "Foxit", "dateReserved": "2026-03-08T03:42:27.208Z", "datePublished": "2026-04-01T01:40:36.975Z", "dateUpdated": "2026-04-02T02:11:52.749Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "14984358-7092-470d-8f34-ade47a7658a2", "shortName": "Foxit", "dateUpdated": "2026-04-02T02:11:52.749Z"}, "title": "Foxit PDF Editor/Reader Update Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-427", "description": "CWE-427: DLL Hijacking", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Potential arbitrary code execution"}]}], "affected": [{"vendor": "Foxit Software Inc.", "product": "Foxit PDF Editor", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "defaultStatus": "unaffected"}, {"vendor": "Foxit Software Inc.", "product": "Foxit PDF Reader", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution."}]}], "references": [{"url": "https://www.foxit.com/support/security-bulletins.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "Erik Egsgard of Field Effect working with TrendAI Zero Day Initiative", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T14:16:37.847431Z", "id": "CVE-2026-3775", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:50:46.885Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3775", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-01T14:16:37.847431Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T14:16:42.873Z"}}], "cna": {"title": "Foxit PDF Editor/Reader Update Service Uncontrolled Search Path Element Local Privilege Escalation Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Erik Egsgard of Field Effect working with TrendAI Zero Day Initiative"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Potential arbitrary code execution"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Foxit Software Inc.", "product": "Foxit PDF Editor", "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}, {"vendor": "Foxit Software Inc.", "product": "Foxit PDF Reader", "versions": [{"status": "affected", "version": "Versions 2025.3 and earlier"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.foxit.com/support/security-bulletins.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.", "supportingMedia": [{"type": "text/html", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: DLL Hijacking"}]}], "providerMetadata": {"orgId": "14984358-7092-470d-8f34-ade47a7658a2", "shortName": "Foxit", "dateUpdated": "2026-04-02T02:11:52.749Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3775", "state": "PUBLISHED", "dateUpdated": "2026-04-02T02:11:52.749Z", "dateReserved": "2026-03-08T03:42:27.208Z", "assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2", "datePublished": "2026-04-01T01:40:36.975Z", "assignerShortName": "Foxit"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E9FD877-062E-4AE4-B7D7-91E1CA8657DF", "versionEndIncluding": "13.2.2.24014", "vulnerable": true}, {"criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B7281CC-97ED-4441-BB97-6C73E328B9AD", "versionEndIncluding": "14.0.2.33402", "versionStartIncluding": "14.0.0.33046", "vulnerable": true}, {"criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C75FEE6-54F3-49C6-BAEA-A09D23BE5D64", "versionEndIncluding": "2023.3.0.23028", "versionStartIncluding": "2023.1.0.15510", "vulnerable": true}, {"criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C06BC41-9831-4AE3-B10B-3FC313D01580", "versionEndIncluding": "2024.4.1.27687", "versionStartIncluding": "2024.1.0.23997", "vulnerable": true}, {"criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD0AAFC0-5B9B-4A11-8967-4699792850F1", "versionEndIncluding": "2025.3.0.35737", "versionStartIncluding": "2025.1.0.27937", "vulnerable": true}, {"criteria": "cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A7AD877-2AB4-4568-8109-5406D2259725", "versionEndIncluding": "2025.3.0.35737", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The application's update service, when checking for updates, loads certain system libraries from a search path that includes directories writable by low\u2011privileged users and is not strictly restricted to trusted system locations. Because these libraries may be resolved and loaded from user\u2011writable locations, a local attacker can place a malicious library there and have it loaded with SYSTEM privileges, resulting in local privilege escalation and arbitrary code execution."}, {"lang": "es", "value": "El servicio de actualizaci\u00f3n de la aplicaci\u00f3n, al buscar actualizaciones, carga ciertas bibliotecas del sistema desde una ruta de b\u00fasqueda que incluye directorios escribibles por usuarios con pocos privilegios y no est\u00e1 estrictamente restringida a ubicaciones de sistema confiables. Debido a que estas bibliotecas pueden ser resueltas y cargadas desde ubicaciones escribibles por el usuario, un atacante local puede colocar una biblioteca maliciosa all\u00ed y hacer que se cargue con privilegios de SYSTEM, lo que resulta en una escalada de privilegios local y ejecuci\u00f3n de c\u00f3digo arbitrario."}], "id": "CVE-2026-3775", "lastModified": "2026-04-14T17:56:31.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary"}]}, "published": "2026-04-01T02:16:02.440", "references": [{"source": "14984358-7092-470d-8f34-ade47a7658a2", "tags": ["Vendor Advisory"], "url": "https://www.foxit.com/support/security-bulletins.html"}], "sourceIdentifier": "14984358-7092-470d-8f34-ade47a7658a2", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "calver", "value": "[0,2025.3]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "Foxit PDF Editor", "source": "cna", "vendor": "Foxit Software Inc."}, "product": "foxit_pdf_editor", "vendor": "foxitsoftware"}, {"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "calver", "value": "[0,2025.3]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 91.0, "source": "matching"}]}, "original": {"product": "Foxit PDF Reader", "source": "cna", "vendor": "Foxit Software Inc."}, "product": "foxit_reader", "vendor": "foxitsoftware"}], "analysis": {"en": {"generated_at": "2026-04-14T21:48:20.585852+00:00", "value": {"mitigation_remediation": ["Apply the latest Foxit update that removes writable directories from the update service\u2019s search path.", "If no update is available, disable the update service or block its network access to prevent update checks from loading libraries.", "Restrict write permissions on directories referenced by the update service\u2019s search path so that non\u2011privileged users cannot add files.", "Monitor those directories for unexpected DLLs or permission changes."], "summary": {"action": "Patch Promptly", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Foxit Software Inc.\u2019s PDF Editor and PDF Reader applications on Windows are affected; the specific edition or version is not listed, so any installation that uses the default update service is potentially vulnerable.", "description_and_impact": "The vulnerability permits a local attacker to exploit the update service\u2019s use of an uncontrolled search path, allowing a malicious DLL to be loaded with SYSTEM privileges and thus achieving arbitrary code execution, identified as CWE\u2011427.", "risk_and_exploitability": "The CVSS score of 7.8 and an EPSS below 1\u202f% indicate high severity but low current exploitation likelihood; the flaw is not listed in the CISA KEV catalog, and exploitation requires local write access to the vulnerable directories and triggering an update check."}}}}, "created": "2026-04-02T07:50:21.323404+00:00", "updated": "2026-04-15T16:45:09.762578+00:00", "vendors": ["foxitsoftware", "foxitsoftware$PRODUCT$foxit_pdf_editor", "foxitsoftware$PRODUCT$foxit_reader"]}