Foxit PDF Reader and PDF Editor prior to 11.1 on macOS allow remote malicious users to execute arbitrary code via getURL in the JavaScript API.
foxit pdf_editor
foxit pdf_reader