:novee-gym: Elite AI hackers aren’t born. They’re trained.

Step into the gym at Black Hat 2026.

:novee-gym: Elite AI hackers aren’t born. They’re trained.

Step into the gym at Black Hat 2026.
HIGH

CVE-2025-70401 - Stored DOM XSS via Annotation Author Field

Discovered By Novee Agent Published on 24 Feb, 2026

Affected Component

Apryse WebViewer Core & UI Notes Panel

Affected Versions Vs. Fixed Version

v11.8 (Core bundle)

Summary

Malicious PDF annotations containing XSS payloads in the “Author” field execute when a user interacts with the comments/notes panel.

Description

The author string travels from the PDF (Core layer) to React component props (UI layer). When a user triggers a React state change (like typing a comment), the he() function (a React internal helper) assigns the unsanitized author string directly to innerHTML. The payload is “stored” within the document’s metadata.

< Back to vulnerabilities