Tools / News / 16 Zero-Days in Cloud PDF Platforms Show Why Uploading Files Is a Security Risk
Press

16 Zero-Days in Cloud PDF Platforms Show Why Uploading Files Is a Security Risk

· VaultTools

Researchers found 16 vulnerabilities in Foxit and Apryse PDF tools in February 2026, enabling account takeover and data exfiltration. The root cause is server-side file processing.

VaultTools · March 20, 2026

A glowing padlock on a dark digital background, representing cybersecurity vulnerabilities in online platforms. Photo by FLY:D on Unsplash

Table of Contents

What Happened

On February 18, 2026, security firm Novee published research disclosing 16 zero-day vulnerabilities across two major cloud PDF platforms: Foxit and Apryse (formerly PDFTron). Novee used AI agents trained on known vulnerability patterns to scan both platforms automatically, uncovering 13 distinct vulnerability categories in the process.

The breakdown: one critical and two high-severity flaws in Apryse WebViewer, two high-severity and eleven medium-severity issues in Foxit. Both vendors were notified through responsible disclosure and have since issued patches. CVE-2025-70402 and CVE-2025-70400 cover the most severe Apryse flaws.

Foxit and Apryse are not obscure products. They are among the most widely deployed PDF SDKs in enterprise software. Their cloud services handle documents uploaded by millions of users.

What the Vulnerabilities Allowed

The flaw types read like a standard server-side attack checklist: DOM-based cross-site scripting (XSS), stored and reflected XSS, server-side request forgery (SSRF), path traversal, and OS command injection.

Exploitation in several cases required nothing more than opening a crafted document or visiting a malicious URL. A one-click attack is as bad as it sounds: a user opens what looks like a normal PDF, and an attacker gains the ability to exfiltrate data or execute commands on the platform’s backend servers. No browser exploit is required. The vulnerability lives on the server side, processing the file the user uploaded.

Account takeover and data exfiltration were both demonstrated as realistic outcomes. For a platform that processes contracts, financial records, or medical documents, those words carry significant weight.

Why Cloud PDF Tools Carry This Risk Structurally

This class of vulnerability is not a bug in the usual sense. It is a consequence of architecture. When a PDF tool processes files on a server, the server must parse complex, attacker-controlled input. PDF is one of the most complicated file formats in existence, with embedded JavaScript, rich metadata, nested compression, and multiple codec layers. Every parser is an attack surface.

SSRF, path traversal, and OS command injection vulnerabilities all require a server to be running code on behalf of the user. XSS in a web-based document viewer exists because a server renders content that originated from an uploaded file. Remove the server from the equation and the entire category of risk disappears.

These are not implementation mistakes Foxit or Apryse made carelessly. They are the inherent cost of cloud-based file processing at scale.

Browser-Based Tools Have No Server to Attack

A PDF tool that runs entirely in the browser via WebAssembly never receives the user’s file on any server. There is no backend to inject commands into. There is no file stored on cloud infrastructure. There is no session or account that can be hijacked through a crafted document.

The 16 vulnerabilities disclosed by Novee are all server-side attack paths. A browser-based architecture closes all of them simultaneously, not through better security engineering, but by eliminating the server-side processing component entirely.

This is not a theoretical benefit. It is a structural property: an attacker cannot exfiltrate a file from a server that never received it.

What Users Should Do Now

Users of Foxit or Apryse cloud services should confirm they are running the latest patched versions. Both vendors have addressed the reported vulnerabilities following Novee’s responsible disclosure.

More broadly, anyone handling sensitive documents (legal, financial, medical, or personal) through cloud-based online tools should ask one question before uploading: where does this file go, and who can reach it there? The answer is rarely as clean as the service’s marketing suggests.

Browser-based tools, where processing happens on the user’s own device, give a cleaner answer: the file goes nowhere.

Sources

← Back to all news