CVE-2025-66522Cross-site Scripting in PDF Editor Cloud

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
CNA6.3
EPSS
0.0%
top 86.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Foxit PDF Editor CloudFoxit Software INC Pdfonline.foxit.com
Timeline
PublishedDec 19

Description

A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDfoxit/pdf_editor_cloud2025-12-01
CVEListV5foxit_software_inc/pdfonline.foxit.combefore 2025‑12‑01

🔴Vulnerability Details

2
CVEList
Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Digital IDs Common Name Field2025-12-19
GHSA
GHSA-5mp6-372v-5m92: A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline2025-12-19
CVE-2025-66522 — Cross-site Scripting | cvebase