CVE-2025-66501 — Cross-site Scripting in PDF Editor Cloud

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

CNA6.3

EPSS

0.0%

top 86.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foxit PDF Editor Cloud Foxit Software INC Pdfonline.foxit.com

Timeline

PublishedDec 19

Description

A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5foxit_software_inc/pdfonline.foxit.combefore 2025‑12‑01

▶NVDfoxit/pdf_editor_cloud< 2025-12-01

🔴Vulnerability Details

CVEList

Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature↗2025-12-19

▶

GHSA

GHSA-wwrp-v67c-phr5: A stored cross-site scripting (XSS) vulnerability exists in pdfonline↗2025-12-19

▶