Researchers have identified more than a dozen vulnerabilities in popular PDF platforms from Foxit and Apryse, demonstrating how attackers could have exploited them for account takeover, data exfiltration, and other attacks.
The vulnerabilities were discovered by researchers at penetration testing startup Novee, which emerged from stealth mode in January 2026 with over $51 million in funding.
The findings were responsibly disclosed to Foxit and Apryse, and both vendors have patched the reported vulnerabilities.
Novee’s research targeted Apryse WebViewer and Foxit PDF cloud services. Apryse WebViewer, formerly PDFTron, is a JavaScript-based document SDK and UI component library that enables developers to embed viewing, annotation, editing, and conversion features directly into web applications and browsers.
Foxit PDF cloud services, such as Foxit PDF Editor Cloud, are browser-based PDF solutions that provide a full-featured platform for viewing, creating, editing, annotating, organizing, converting, securing, exporting, and signing PDF documents and forms.
Novee’s analysis — powered by specialized AI agents — led to the discovery of 16 vulnerabilities across Apryse and Foxit products. One critical and two high-severity vulnerabilities were found in Apryse products, and two high-severity and 11 medium-severity issues were identified in Foxit products.
The list of flaws includes DOM XSS, SSRF, stored and reflected XSS, path traversal, and OS command injection vulnerabilities.
Novee’s tests demonstrated that attackers could have exploited the security holes via specially crafted documents, URLs, or messages to execute arbitrary code or commands.
“Several vulnerabilities were exploitable with a single request and affected trusted domains commonly embedded inside enterprise applications,” the security firm explained.
The researchers showed that in scenarios where PDF viewers are embedded in authenticated applications an attacker could have leveraged the XSS flaws for account takeover. In addition, an attacker could have exploited the weaknesses to exfiltrate sensitive document or user data, manipulate documents, or achieve persistent compromise using payloads that survive page refreshes.
“From a defender’s perspective, this means that a component long assumed to be low risk can quietly become a high-impact attack surface,” Novee said.
SecurityWeek has reached out to both Foxit and Apryse for comment.
Hongtao Huang, Group SDE, Product Security, Foxit, stated:
“Foxit takes product security seriously and maintains an active responsible disclosure program for exactly this reason. When Novee Security Research identified these vulnerabilities and brought them to our attention, our security team engaged immediately. We worked collaboratively with Novee through the full remediation process and have published detailed updates through our Trust Center.
We appreciate Novee’s professionalism and thoroughness throughout this process. This is responsible disclosure working exactly as it should. Foxit remains committed to ongoing transparency with the security research community and our customers.”
Stan Kornacki, Vice President of IT and CISO, Apryse, commented:
“The issues referenced in Novee’s upcoming research were responsibly reported and have been addressed through product updates, documentation improvements, and strengthened default configurations.
We expect these types of issues to be infrequent, but when they appear, we address them promptly and thoroughly, keeping all parties informed throughout the process.
Our vulnerability management processes are comprehensive — designed not just to remediate vulnerabilities but to assess potential data impact, test for unintended behavior, and ensure every release meets the high standard of code quality our customers deserve.”
Related: APT-Grade PDFSider Malware Used by Ransomware Groups
Related: CISA: Hackers Exploiting Vulnerability in Product of Taiwan Security Firm TeamT5
Related: Patch Tuesday: Adobe Fixes 44 Vulnerabilities in Creative Apps
