By rssfeeds-admin The vulnerabilities stem from insufficient input validation and improper output encoding in file attachment and layer name fields, creating pathways for malicious script injection when users interact with crafted payloads.
The primary vulnerability, identified as CVE-2026-1591, affects the File Attachments list and Layers panel functionality within Foxit PDF Editor Cloud.
The flaw allows attackers to embed untrusted input into the HTML structure without adequate encoding or sanitization, enabling arbitrary JavaScript execution.
A companion vulnerability, CVE-2026-1592, presents the same risk through similar attack vectors. Both vulnerabilities carry a Moderate severity rating with a CVSS 3.0 score of 6.3, indicating potential for unauthorized access and information disclosure when exploited by authenticated attackers.
The vulnerability chain requires user interaction; attackers must convince users to access specially crafted file attachments or layer configurations containing malicious payloads.
Once executed, the arbitrary JavaScript operates within the user’s browser context, potentially allowing attackers to steal session tokens, harvest sensitive data from open PDF documents, or redirect users to malicious websites.
The attack surface is particularly concerning in enterprise environments where PDF editing workflows are common, and users frequently handle files from external sources.
Foxit eSign users face a related but distinct XSS vulnerability tracked as CVE-2025-66523, with a CVSS score of 6.1.
This vulnerability occurs through improper handling of URL parameters in specially crafted links that authenticated users visit.
The flaw allows untrusted input to be embedded into JavaScript code and HTML attributes without proper encoding, creating a vector for privilege escalation and cross-domain data theft within eSign workflows.
Foxit’s response included implementing comprehensive input validation and output encoding mechanisms to prevent the injection and execution of malicious scripts.
| CVE ID | Product | Vulnerability Type | Severity | CVSS Score | Attack Vector | Status |
|---|---|---|---|---|---|---|
| CVE-2026-1591 | Foxit PDF Editor Cloud | Cross-Site Scripting (CWE-79) | Moderate | 6.3 | File Attachments/Layers Panel | Patched |
| CVE-2026-1592 | Foxit PDF Editor Cloud | Cross-Site Scripting (CWE-79) | Moderate | 6.3 | File Attachments/Layers Panel | Patched |
| CVE-2025-66523 | Foxit eSign | Cross-Site Scripting (CWE-79) | Moderate | 6.1 | URL Parameter Injection | Patched |
The patches were released on February 3, 2026, for Foxit PDF Editor Cloud and on January 15, 2026, for Foxit eSign.
The company confirmed that no user action is required beyond updating to the latest versions, as patches are deployed automatically or available through the standard update mechanism.
Organizations using Foxit PDF Editor Cloud and eSign should verify their systems are running the latest patched versions.
Administrators should monitor for signs of exploitation, including unusual JavaScript execution logs or unexpected PDF editor behavior.
For environments handling sensitive documents, restricting PDF editing capabilities to trusted networks and implementing browser-based content security policies can provide additional protective layers.
Users should exercise caution when opening PDF attachments from untrusted sources and avoid clicking suspicious links within eSign workflows.
Foxit Software maintains a dedicated security response team and encourages researchers to report vulnerabilities through their official channels at security-ml@foxit.com.
Organizations can check Foxit’s security advisory page for updates on additional vulnerabilities or patches affecting their deployed versions.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Foxit PDF Editor Vulnerability Allows Attackers to Execute Arbitrary JavaScript appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.