CVE-2026-3774
Received Received - Intake
PDF JavaScript Logic Flaw Causes Incomplete Redaction in PDF Application

Publication date: 2026-04-01

Last updated on: 2026-04-10

Assigner: Foxit

Description
The application allows PDF JavaScript and document/print actions (such as WillPrint/DidPrint) to update form fields, annotations, or optional content groups (OCGs) immediately before or after redaction, encryption, or printing. These script‑driven updates are not fully covered by the existing redaction, encryption, and printing logic, which, under specific document structures and user workflows, may cause a small amount of sensitive content to remain unremoved or unencrypted as expected, or result in printed output that slightly differs from what was reviewed on screen.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3774
EUVD
EUVD-2026-17749
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
foxit pdf_editor From 2023.1.0.15510 (inc) to 2023.3.0.23028 (inc)
foxit pdf_editor From 2024.1.0.23997 (inc) to 2024.4.1.27687 (inc)
foxit pdf_editor to 13.2.2.24014 (inc)
foxit pdf_editor From 14.0.0.33046 (inc) to 14.0.2.33402 (inc)
foxit pdf_editor From 2025.1.0.27937 (inc) to 2025.3.0.35737 (inc)
foxit pdf_reader to 2025.3.0.35737 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves an application that allows PDF JavaScript and document/print actions (such as WillPrint/DidPrint) to update form fields, annotations, or optional content groups (OCGs) immediately before or after redaction, encryption, or printing.

These script-driven updates are not fully handled by the existing redaction, encryption, and printing logic. As a result, under certain document structures and user workflows, some sensitive content may remain unremoved or unencrypted when it should have been, or the printed output may slightly differ from what was reviewed on screen.

Impact Analysis

The vulnerability can lead to sensitive information being unintentionally exposed because some content may not be properly redacted or encrypted as expected.

Additionally, the printed output might differ slightly from what was reviewed on screen, potentially causing confidential data to be printed without the user's awareness.

Compliance Impact

This vulnerability may impact compliance with standards and regulations such as GDPR and HIPAA because it can cause sensitive content to remain unremoved or unencrypted after redaction, encryption, or printing processes. This means that confidential or personal data might be exposed unintentionally, which could violate data protection requirements that mandate secure handling and removal of sensitive information.

Specifically, since the application allows PDF JavaScript and document/print actions to update form fields or annotations immediately before or after redaction or encryption, the existing security controls may not fully cover these updates. As a result, sensitive data could be leaked or improperly protected, potentially leading to non-compliance with privacy and security regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart