Your AI coding agent will run this exploit for you

See how we found a high-severity CVE in Cursor

Your AI coding agent will run this exploit for you

See how we found a high-severity CVE in Cursor
Book a demo
HIGH

CVE-2025-70401 - Stored DOM XSS via Annotation Author Field

Discovered By Novee Agent Published on 24 Feb, 2026

Affected Component

Apryse WebViewer Core & UI Notes Panel

Affected Versions Vs. Fixed Version

v11.8 (Core bundle)

Summary

Malicious PDF annotations containing XSS payloads in the “Author” field execute when a user interacts with the comments/notes panel.

Description

The author string travels from the PDF (Core layer) to React component props (UI layer). When a user triggers a React state change (like typing a comment), the he() function (a React internal helper) assigns the unsanitized author string directly to innerHTML. The payload is “stored” within the document’s metadata.

< Back to vulnerabilities

Follow the path real attackers take

Book a demo

© Novee. All Rights reserved.