An issue exists in Foxit Reader and PhantomPDF prior to 10.1.4. It allows SQL Injection via crafted data at the end of a string.
foxitsoftware foxit reader
foxitsoftware phantompdf