CVE-2026-3774

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-3774
The application allows PDF JavaScript and document/print actions (such as WillPrint/DidPrint) to update form fields, annotations, or optional content groups (OCGs) immediately before or after redaction, encryption, or printing. These script‑driven updates are not fully covered by the existing redaction, encryption, and printing logic, which, under specific document structures and user workflows, may cause a small amount of sensitive content to remain unremoved or unencrypted as expected, or result in printed output that slightly differs from what was reviewed on screen.

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.foxit.com/support/security-bulletins.html Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

10 Apr 2026, 01:36

Type Values Removed Values Added
First Time Foxit
Microsoft windows
Microsoft
Foxit pdf Reader
Foxit pdf Editor
CWE NVD-CWE-noinfo
References () https://www.foxit.com/support/security-bulletins.html - () https://www.foxit.com/support/security-bulletins.html - Vendor Advisory
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*
cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*
Summary
  • (es) La aplicación permite que JavaScript de PDF y las acciones de documento/impresión (como WillPrint/DidPrint) actualicen campos de formulario, anotaciones o grupos de contenido opcional (OCG) inmediatamente antes o después de la redacción, el cifrado o la impresión. Estas actualizaciones impulsadas por scripts no están completamente cubiertas por la lógica existente de redacción, cifrado e impresión, lo que, bajo estructuras de documento y flujos de trabajo de usuario específicos, puede hacer que una pequeña cantidad de contenido sensible permanezca sin eliminar o sin cifrar como se esperaba, o resultar en una salida impresa que difiera ligeramente de lo que se revisó en pantalla.

01 Apr 2026, 02:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-04-01 02:16

Updated : 2026-04-10 01:36

NVD link : CVE-2026-3774

Mitre link : CVE-2026-3774

CVE.ORG link : CVE-2026-3774

JSON object : View

Products Affected

microsoft

  • windows

foxit

  • pdf_editor
  • pdf_reader
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo