Full Report
Foxit Software has released security updates addressing multiple cross-site scripting (XSS) vulnerabilities affecting Foxit PDF Editor Cloud and Foxit eSign, closing gaps that could have allowed attackers to execute arbitrary JavaScript within a user’s browser. The patches were issued as part of Foxit’s ongoing security and stability improvements, with the most recent update for Foxit PDF Editor Cloud released on February 3, 2026. The vulnerabilities stem from weaknesses in input validation and output encoding within specific features of Foxit PDF Editor Cloud. According to Foxit’s official advisory, attackers could exploit these flaws when users interacted with specially crafted file attachments or manipulated layer names inside PDF documents. In such cases, untrusted input could be embedded directly into the application’s HTML structure without proper sanitization, enabling malicious script execution. The advisory states that the update includes security and stability improvements, and that no manual action is required beyond ensuring the software is up to date. Details of Foxit PDF Editor Vulnerabilities CVE-2026-1591 and CVE-2026-1592 Two vulnerabilities were identified in Foxit PDF Editor Cloud: CVE-2026-1591 and CVE-2026-1592. Both issues fall under Cross-Site Scripting (CWE-79) and carry a Moderate severity rating, with a CVSS v3.0 score of 6.3. The vulnerabilities affect the File Attachments list and Layers panel, where attackers could inject crafted payloads into file names or layer names. CVE-2026-1591, considered the primary issue, allows attackers to exploit insufficient input validation and improper output encoding to execute arbitrary JavaScript in a user’s browser. CVE-2026-1592 presents the same risk through similar attack vectors and conditions. Both vulnerabilities were discovered and reported by security researcher Novee. Although exploitation requires user interaction, the impact can be significant. Attackers must convince authenticated users to access specially crafted attachments or layer configurations. Once triggered, the malicious JavaScript runs within the browser context, potentially enabling session hijacking, exposure of sensitive data from open PDF documents, or redirection to attacker-controlled websites. Enterprise Risk and Attack Surface Considerations The attack surface is particularly relevant in enterprise environments where Foxit PDF Editor is widely used for document collaboration and editing. Employees often handle PDFs originating from external partners, customers, or public sources, increasing the likelihood of exposure to crafted payloads. In addition to Foxit PDF Editor Cloud, Foxit also addressed a related XSS vulnerability affecting Foxit eSign, tracked as CVE-2025-66523. This flaw carries a CVSS score of 6.1 and occurs due to improper handling of URL parameters in specially crafted links. When authenticated users visit these links, untrusted input may be embedded into JavaScript code and HTML attributes without adequate encoding, creating opportunities for privilege escalation and cross-domain data theft. The patch for Foxit eSign was released on January 15, 2026. Patches, Mitigation, and Security Guidance Foxit confirmed that CVE-2026-1591, CVE-2026-1592, and CVE-2025-66523 have all been fully patched. The fixes include improved input validation and output encoding mechanisms designed to prevent malicious script injection. Updates for Foxit PDF Editor Cloud are deployed automatically or available through standard update mechanisms, requiring no additional configuration. Organizations using Foxit PDF Editor Cloud and Foxit eSign should confirm that their systems are running the latest versions. Administrators are also advised to monitor for unusual JavaScript execution, unexpected PDF editor behavior, or anomalies in application logs. For environments handling sensitive documents, additional controls may help reduce risk. These include limiting PDF editing to trusted networks, enforcing browser-based content security policies, and restricting access to untrusted attachments. End users should remain cautious when opening PDF files from unknown sources and avoid clicking suspicious links within eSign workflows.
Analysis Summary
# Vulnerability: XSS in Foxit PDF Editor Cloud and Foxit eSign
## CVE Details
- CVE ID: CVE-2026-1591, CVE-2026-1592, CVE-2025-66523
- CVSS Score: 6.3 (CVE-2026-1591/1592), 6.1 (CVE-2025-66523) (Severity: Moderate)
- CWE: CWE-79 (Cross-Site Scripting)
## Affected Systems
- Products: Foxit PDF Editor Cloud, Foxit eSign
- Versions: Unspecified vulnerable versions (Patches released in Feb 2026 and Jan 2026 respectively).
- Configurations: Requires authenticated user interaction with specially crafted input (file attachments/layer names in PDF Editor; crafted links in eSign).
## Vulnerability Description
The vulnerabilities stem from insufficient input validation and improper output encoding.
1. **CVE-2026-1591 & CVE-2026-1592 (PDF Editor Cloud):** Attackers can inject malicious JavaScript by crafting specific **file attachment names** or **layer names** within a PDF document. Untrusted input is embedded directly into the product’s HTML structure without proper sanitization.
2. **CVE-2025-66523 (eSign):** Occurs due to improper handling of **URL parameters** in specially crafted links. Untrusted input embedded into JavaScript code and HTML attributes leads to script execution upon link access.
## Exploitation
- Status: Mentioned as potential risks, implying proof-of-concept (PoC) likely exists or exploitation is feasible. Not explicitly stated as exploited in the wild.
- Complexity: Medium (Requires user interaction with a specially crafted document/link).
- Attack Vector: Assumed to be **Adjacent/Network** (delivering malicious file or link).
## Impact
- Confidentiality: High (Potential exposure of sensitive data from open PDF documents, cross-domain data theft via eSign).
- Integrity: High (Arbitrary JavaScript execution allows manipulation of the user session).
- Availability: Low/Medium (Primarily focused on session compromise rather than denial of service).
## Remediation
### Patches
- **Foxit PDF Editor Cloud (CVE-2026-1591, CVE-2026-1592):** Fully patched via security updates released on or around February 3, 2026. Updates are deployed automatically or via standard update mechanisms.
- **Foxit eSign (CVE-2025-66523):** Fully patched via updates released on January 15, 2026.
### Workarounds
- Limit PDF editing to trusted networks.
- Restrict access to untrusted attachments.
- End-users should be cautious opening PDFs from unknown sources and avoid clicking suspicious links in eSign workflows.
## Detection
- **Indicators of Compromise (IOCs):** Unusual JavaScript execution within the browser context when using Foxit applications; unexpected behavior in the PDF editor (e.g., layer interaction, attachment list viewing).
- **Detection Methods and Tools:** Monitor application logs for anomalies; enforce strict browser-based Content Security Policies (CSP) where possible.
## References
- Vendor Advisory: Foxit Security Updates (February 2026 cycle).
- Related Advisory: Foxit Security Updates (January 2026 cycle for eSign).