Foxit PDF Reader and PDF Editor prior to 11.1 on macOS allow remote malicious users to execute arbitrary code via xfa.host.gotoURL in the XFA API.
foxit pdf_reader
foxit pdf_editor