Foxit Software released security updates fixing multiple cross-site scripting (XSS) vulnerabilities in Foxit PDF Editor Cloud and Foxit eSign that could allow attackers to execute arbitrary JavaScript in users’ browsers. The flaws (including CVE-2026-1591, CVE-2026-1592, and CVE-2025-66523) stem from improper input validation and output encoding and have been patched; administrators should ensure their installations are up to date. #FoxitPDFEditorCloud #FoxitESign
Keypoints
- Foxit released patches for multiple cross-site scripting (XSS) vulnerabilities in Foxit PDF Editor Cloud and Foxit eSign.
- CVE-2026-1591 and CVE-2026-1592 (CVSS 6.3) affect file attachment names and the Layers panel, allowing arbitrary JavaScript via insufficient input validation.
- CVE-2025-66523 (CVSS 6.1) impacts Foxit eSign through improper handling of URL parameters in crafted links.
- Exploitation requires user interaction but can lead to session hijacking, exposure of sensitive PDF data, or redirection to attacker-controlled sites.
- All issues are patched; organizations should apply updates, monitor for anomalous JavaScript execution, enforce content security policies, and restrict editing to trusted networks.
Read More: https://thecyberexpress.com/foxit-pdf-editor-xss-vulnerabilities/