Foxit Software has addressed potential risks where attackers could execute arbitrary JavaScript in user browsers by patching critical cross-site scripting (XSS) vulnerabilities affecting Foxit PDF Editor Cloud and Foxit eSign This article explores vulnerabilities foxit. . When users interact with crafted payloads, the vulnerabilities are caused by inadequate input validation and incorrect output encoding in the file attachment and layer name fields, which open the door for malicious script injection.

The main vulnerability, CVE-2026-1591, impacts the functionality of the Layers panel and File Attachments list in Foxit PDF Editor Cloud. The vulnerability enables arbitrary JavaScript execution by allowing attackers to insert untrusted input into the HTML structure without proper encoding or sanitization. Through comparable attack vectors, a companion vulnerability, CVE-2026-1592, poses the same risk.

With a CVSS 3.0 score of 6.3, both vulnerabilities have a Moderate severity rating, indicating the possibility of unauthorized access and information disclosure when used by legitimate attackers. Attackers must persuade users to open specially designed file attachments or layer configurations with malicious payloads in order to complete the vulnerability chain. Once run, the arbitrary JavaScript functions inside the user's browser context, giving hackers the ability to harvest private information from open PDF documents, steal session tokens, or send users to malicious websites.

In corporate settings where PDF editing workflows are typical and users regularly handle files from external sources, the attack surface is especially worrisome. Users of Foxit eSign are susceptible to a related but unique XSS vulnerability, identified as CVE-2025-66523, which has a CVSS score of 6.1.

This vulnerability arises when specially crafted links visited by authenticated users handle URL parameters incorrectly. The vulnerability creates a pathway for privilege escalation and cross-domain data theft in eSign workflows by permitting untrusted input to be embedded into HTML attributes and JavaScript code without the necessary encoding. As part of its response, Foxit put in place thorough input validation and output encoding procedures to stop malicious scripts from being injected and running.

Product Vulnerability Type Severity CVSS Score Attack CVE ID Foxit PDF Editor Cloud Cross-Site Scripting (CWE-79) Vector Status CVE-2026-1591 Moderate 6.3 Layers Panel Patched CVE-2026-1592 File Attachments Cloud Cross-Site Scripting for Foxit PDF Editor (CWE-79) Moderate 6.3 Patched CVE-2025-66523 File Attachments/Layers Panel Cross-Site Scripting with Foxit eSign (CWE-79) Moderate 6.1 Patch for URL Parameter Injection The patches were made available for Foxit eSign on January 15, 2026, and Foxit PDF Editor Cloud on February 3, 2026. The company affirmed that since patches are automatically deployed or accessible through the standard update mechanism, no user action is necessary beyond updating to the most recent versions. Businesses that use eSign and Foxit PDF Editor Cloud should make sure their systems are running the most recent patches.

Administrators should keep an eye out for indications of exploitation, such as odd JavaScript execution logs or strange PDF editor behavior. Implementing browser-based content security policies and limiting PDF editing capabilities to trusted networks can offer extra security layers for environments handling sensitive documents. When opening PDF attachments from unreliable sources, users should be cautious and refrain from clicking dubious links in eSign workflows.

Researchers are encouraged to report vulnerabilities via Foxit Software's official channels at security-ml@foxit.com, and the company maintains a dedicated security response team. For updates on new vulnerabilities or patches affecting their deployed versions, organizations can visit Foxit's security advisory page.