Foxit Pdf Editor Cloud vulnerabilities

CVE-2026-1592 [MEDIUM] CWE-79 CVE-2026-1592: Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the Creat Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the Create New Layer feature. Unsanitized user input is embedded into the HTML output, allowing arbitrary JavaScript execution when the layer is referenced. This issue affects pdfonline.foxit.com: before 2026‑02‑03.

CVE-2026-1591 [MEDIUM] CWE-79 CVE-2026-1591: Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03.

CVE-2025-66502 [MEDIUM] CWE-79 CVE-2025-66502: A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Temp A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded.

CVE-2025-66501 [MEDIUM] CWE-79 CVE-2025-66501: A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefine A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used

CVE-2025-66521 [MEDIUM] CWE-79 CVE-2025-66521: A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted C A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded.

CVE-2025-66522 [MEDIUM] CWE-79 CVE-2025-66522: A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Fox A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the

CVE-2025-66519 [MEDIUM] CWE-79 CVE-2025-66519: A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Imp A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed.

CVE-2025-66520 [MEDIUM] CWE-79 CVE-2025-66520: A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF E A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list

CVE-2025-66500 [MEDIUM] CWE-79 CVE-2025-66500: A stored cross-site scripting (XSS) vulnerability exists in webplugins.foxit.com. A postMessage hand A stored cross-site scripting (XSS) vulnerability exists in webplugins.foxit.com. A postMessage handler fails to validate the message origin and directly assigns externalPath to a script source, allowing an attacker to execute arbitrary JavaScript when a crafted postMessage is received.