Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one Foxit Reader vulnerability, and six LibRaw file reader vulnerabilities.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Foxit use-after-free vulnerability

Discovered by KPC of Cisco Talos.

Foxit Reader allows users to view, edit, and sign PDF documents, among other features. Foxit aims to be one of the most feature-rich PDF readers on the market, and contains many similar functions to that of Adobe Acrobat Reader.

TALOS-2026-2365 (CVE-2026-3779) is a use-after-free vulnerability in the way Foxit Reader handles an Array object. A specially crafted JavaScript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.

LibRaw heap-based buffer overflow and integer overflow vulnerabilities

Discovered by Francesco Benvenuto of Cisco Talos.

LibRaw is a library and user interface for processing RAW file types and metadata created by digital cameras. Talos analysts found 6 vulnerabilities in LibRaw.

TALOS-2026-2330 (CVE-2026-20911), TALOS-2026-2331 (CVE-2026-21413), TALOS-2026-2358 (CVE-2026-20889), and TALOS-2026-2359 (CVE-2026-24660) are heap-based buffer overflow vulnerabilities in LibRaw, and TALOS-2026-2363 (CVE-2026-24450) and TALOS-2026-2364 (CVE-2026-20884) are integer overflow vulnerabilities. Specially crafted malicious files can lead to heap buffer overflow in all cases. An attacker can provide a malicious file to trigger these vulnerabilities.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a vulnerability in HikVision, as well as 10 in TP-Link, and 19 in Canva.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Canva Affinity vulnerabilities

Discovered by KPC of Cisco Talos.

Canva Affinity is a free-to-use tool for pixel and vector art manipulation used in graphic and document design.

Talos researchers found 19 vulnerabilities in Affinity. Eighteen of them are out-of-bounds read vulnerabilities in the EMF functionality of Canva Affinity. By using a specially crafted EMF file, an attacker could exploit these vulnerabilities to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information.

• TALOS-2025-2311 (CVE-2025-64776)
• TALOS-2025-2310 (CVE-2025-64301)
• TALOS-2025-2300 (CVE-2025-64733)
• TALOS-2025-2319 (CVE-2025-66042)
• TALOS-2025-2321 (CVE-2025-62403)
• TALOS-2025-2314 (CVE-2025-58427)
• TALOS-2025-2298 (CVE-2025-62500)
• TALOS-2025-2299 (CVE-2025-61979)
• TALOS-2025-2317 (CVE-2025-61952)
• TALOS-2025-2316 (CVE-2025-47873)
• TALOS-2025-2318 (CVE-2025-66503)
• TALOS-2025-2324 (CVE-2026-20726)
• TALOS-2025-2301 (CVE-2025-66000)
• TALOS-2025-2320 (CVE-2025-65119)
• TALOS-2025-2325 (CVE-2026-22882)
• TALOS-2025-2315 (CVE-2025-66617)
• TALOS-2025-2313 (CVE-2025-66633)
• TALOS-2025-2312 (CVE-2025-64735)

The last vulnerability is TALOS-2025-2297 (CVE-2025-66342), a type confusion vulnerability in the EMF functionality of Canva Affinity. A specially crafted EMF file can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution.

TP-Link vulnerabilities

Discovered by Lilith >_> of Cisco Talos.

The TP-Link Archer AX53 is a dual band gigabit Wi-Fi router. Talos researchers found 10 vulnerabilities in the router functionality.

TALOS-2025-2290 (CVE-2025-62673) is a stack-based buffer overflow vulnerability in the tdpServer ssh port update functionality of Tp-Link AX53. A specially crafted network packet can lead to stack-based buffer overflow.

These eight vulnerabilities exist in the tmpServer opcode of the AX53:

• TALOS-2025-2283 (CVE-2025-59482): Buffer overflow
• TALOS-2025-2284 (CVE-2025-62405): Stack-based buffer overflow
• TALOS-2025-2285 (CVE-2025-59487): Write-what-where
• TALOS-2025-2286 (CVE-2025-61983): Out-of-bounds write
• TALOS-2025-2287 (CVE-2025-62404): Stack-based buffer overflow
• TALOS-2025-2288 (CVE-2025-61944): Out-of-bounds write
• TALOS-2025-2289 (CVE-2025-58455): Stack-based buffer overflow
• TALOS-2025-2294 (CVE-2025-58077): Heap-based buffer overflow

A specially crafted set of network packets can be sent to trigger these vulnerabilities, which can lead to arbitrary code execution.

TALOS-2025-2291 (CVE-2025-62501) is a misconfiguration vulnerability in the SSH Hostkey functionality. A specially crafted man-in-the-middle attack can lead to credentials leak.

HikVision buffer overflow vulnerability

Discovered by a member of Cisco Talos.

HikVision creates AI-trained machine perception for use in security surveillance and other monitoring hardware, including Ultra Face Recognition Terminals for authentication.

Talos researchers found TALOS-2025-2281 (CVE-2025-66176), a stack-based buffer overflow vulnerability, in the SADP XML parsing functionality of Hangzhou Hikvision Digital Technology Co., Ltd. Ultra Face Recognition Terminal 3.7.60_250613 and Face Recognition Terminal for Turnstyle 3.7.0_240524 (under emulation). A specially crafted network packet can lead to remote code execution. An attacker can send a malicious packet to trigger this vulnerability.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed vulnerabilities in the BioSig Project Libbiosig library and OpenCFD OpenFOAM, as well as an unpatched vulnerability in Microsoft DirectX.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy, apart from the DirectX vulnerability. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

Microsoft DirectX local privilege escalation vulnerability

Discovered by KPC of Cisco Talos. 

The Microsoft DirectX End-User Runtime installs runtime libraries from the legacy DirectX SDK for some certain games. It comes pre-installed on Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, Windows Vista, Windows 7, Windows 8.0, Windows 8.1, Windows 10, and Windows Server equivalents.

Talos discovered a local privilege escalation vulnerability in the installation process of DirectX End-User Runtime: TALOS-2025-2293 (CVE-2025-68623). A low-privileged user can replace an executable file during the installation process, which may result in unintended elevation of privileges.

OpenFOAM arbitrary code execution vulnerability

Discovered by Dimitrios Tatsis of Cisco Talos.

OpenFOAM is an open-source computational fluid dynamics (CFD) software developed primarily by OpenCFD Ltd.

Talos discovered TALOS-2025-2292 (CVE-2025-61982), an arbitrary code execution vulnerability in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Libbiosig out-of-bounds read, heap-based buffer overflow vulnerabilities

Discovered by Mark Bereza of Cisco Talos.

BioSig is an open source software library for biomedical signal processing. The BioSig Project seeks to encourage research in biomedical signal processing by providing open source software tools. Libbiosig is a library dependency for BioSig.

Talos discovered TALOS-2025-2323 (CVE-2025-64736), an out-of-bounds read vulnerability in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

Talos also discovered two heap-based buffer overflow vulnerabilities, TALOS-2026-2361 (CVE-2026-22891) and TALOS-2026-2362 (CVE-2026-20777), in the Intan CLP parsing and Nicolet WFT parsing functionalities of the BioSig Project, respectively. A specially crafted CLP or WFT file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in Foxit PDF Editor, one in the Epic Games Store, and twenty-one in MedDream PACS.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

Foxit privilege escalation and use-after-free vulnerabilities

Discovered by KPC of Cisco Talos.

Foxit PDF Editor is a popular PDF handling platform for editing, e-signing, and collaborating on PDF documents. Talos found three vulnerabilities:

TALOS-2025-2275 (CVE-2025-57779) is a privilege escalation vulnerability in the installation of Foxit PDF Editor via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in elevation of privileges.

TALOS-2025-2277 (CVE-2025-58085) and TALOS-2025-2278 (CVE-2025-59488)  are use-after-free vulnerabilities, one in the way Foxit Reader handles a Barcode field object, and one in the way Foxit Reader handles a Text Widget field object. A specially crafted JavaScript code inside a malicious PDF document can trigger these vulnerabilities, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger these vulnerabilities. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

Epic Games local privilege escalation vulnerability

Discovered by KPC of Cisco Talos.

Epic Games Store is a storefront application for purchasing and accessing video games. Talos found TALOS-2025-2279 (CVE-2025-61973), a local privilege escalation vulnerability in the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in elevation of privileges.

MedDream PACS reflected cross-site scripting vulnerabilities

Discovered by Marcin “Icewall” Noga of Cisco Talos.

MedDream PACS server is a medical-integration system for archiving and communicating about DICOM 3.0 compliant images. Talos found 21 reflected cross-site scripting (XSS) vulnerabilities across several functions of MedDream PACS Premium 7.3.6.870. An attacker can provide a specially crafted URL to trigger these vulnerabilities, which can lead to arbitrary JavaScript code execution. 

• TALOS-2025-2253 (CVE-2025-54817): autoPurge functionality 
• TALOS-2025-2254 (CVE-2025-53516): downloadZip functionality
• TALOS-2025-2255 (CVE-2025-54495): emailfailedjob functionality
• TALOS-2025-2256 (CVE-2025-54157): encapsulatedDoc functionality
• TALOS-2025-2257 (CVE-2025-54778): existingUser functionality
• TALOS-2025-2258 (CVE-2025-46270): fetchPriorStudies functionality 
• TALOS-2025-2259 (CVE-2025-55071): modifyAnonymize functionality 
• TALOS-2025-2260 (CVE-2025-54852): modifyAeTitle functionality 
• TALOS-2025-2261 (CVE-2025-54814): modifyAutopurgeFilter functionality
• TALOS-2025-2262 (CVE-2025-54861): modifyCoercion functionality
• TALOS-2025-2263 (CVE-2025-57881): modifyEmail functionality
• TALOS-2025-2264 (CVE-2025-58080): modifyHL7App functionality 
• TALOS-2025-2265 (CVE-2025-53854): modifyHL7Route functionality 
• TALOS-2025-2266 (CVE-2025-57787): modifyRoute functionality
• TALOS-2025-2267 (CVE-2025-53707): modifyTranscript functionality
• TALOS-2025-2268 (CVE-2025-54853): modifyUser functionality
• TALOS-2025-2269 (CVE-2025-57786): notifynewstudy functionality
• TALOS-2025-2270 (CVE-2025-44000): sendOruReport functionality 
• TALOS-2025-2271 (CVE-2025-58087-CVE-2025-58095): config.php functionality
• TALOS-2025-2272 (CVE-2025-36556): ldapUser functionality
• TALOS-2025-2273 (CVE-2025-53912): encapsulatedDoc functionality