CVE-2026-1591 — Cross-site Scripting in PDF Editor Cloud

CWE-79 — Cross-site Scripting CWE-833 — Deadlock6 documents6 sources

Severity

5.4MEDIUMNVD

CNA6.3

EPSS

0.0%

top 84.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foxit PDF Editor Cloud Foxit Software INC Pdfonline.foxit.com

Timeline

PublishedFeb 3

Description

Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDfoxit/pdf_editor_cloud< 2026-02-03

▶CVEListV5foxit_software_inc/pdfonline.foxit.combefore 2026‑02‑03

🔴Vulnerability Details

CVEList

Stored XSS via Attachments Feature in https://pdfonline.foxit.com/↗2026-02-03

▶

GHSA

GHSA-g4wf-v389-9w53: Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature↗2026-02-03

▶

OSV

btrfs: release path before initializing extent tree in btrfs_read_locked_inode()↗2026-01-31

▶