CVE-2025-70401 - Stored DOM XSS via Annotation Author Field

Apryse WebViewer Core & UI Notes Panel

v11.8 (Core bundle)

Malicious PDF annotations containing XSS payloads in the “Author” field execute when a user interacts with the comments/notes panel.

The author string travels from the PDF (Core layer) to React component props (UI layer). When a user triggers a React state change (like typing a comment), the he() function (a React internal helper) assigns the unsanitized author string directly to innerHTML. The payload is “stored” within the document’s metadata.