Refine your search
12 vulnerabilities found for pdfonline.foxit.com by Foxit Software Inc.
CVE-2025-66522 (GCVE-0-2025-66522)
Vulnerability from nvd
Published
2025-12-19 07:34
Modified
2025-12-19 14:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:34:54.934596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:36:38.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\nA stored cross-site scripting (XSS) vulnerability exists in the \u003cstrong\u003eDigital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com)\u003c/strong\u003e. The application does not properly sanitize or encode the \u003cstrong\u003eCommon Name\u003c/strong\u003e field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the \u003cstrong\u003eDigital IDs dialog\u003c/strong\u003e is accessed or when the affected PDF is loaded.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:33:02.137Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Digital IDs Common Name Field",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66522",
"datePublished": "2025-12-19T07:34:29.208Z",
"dateReserved": "2025-12-04T03:37:51.889Z",
"dateUpdated": "2025-12-19T14:36:38.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66521 (GCVE-0-2025-66521)
Vulnerability from nvd
Published
2025-12-19 07:33
Modified
2025-12-19 16:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66521",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:38:35.741855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:06:20.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\nA stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003eTrusted Certificates feature\u003c/strong\u003e. A crafted payload can be injected as the \u003cstrong\u003ecertificate name\u003c/strong\u003e, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the \u003cstrong\u003eTrusted Certificates\u003c/strong\u003e view is loaded.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:32:50.377Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Trusted Certificates Feature",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66521",
"datePublished": "2025-12-19T07:33:01.761Z",
"dateReserved": "2025-12-04T03:37:51.889Z",
"dateUpdated": "2025-12-19T16:06:20.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66520 (GCVE-0-2025-66520)
Vulnerability from nvd
Published
2025-12-19 07:30
Modified
2025-12-19 14:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66520",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:40:49.738524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:41:00.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\nA stored cross-site scripting (XSS) vulnerability exists in the \u003cstrong\u003ePortfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com)\u003c/strong\u003e. User-supplied \u003cstrong\u003eSVG files\u003c/strong\u003e are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the \u003cstrong\u003ePortfolio file list\u003c/strong\u003e is rendered.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:32:37.658Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Portfolio SVG Handling",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66520",
"datePublished": "2025-12-19T07:30:20.745Z",
"dateReserved": "2025-12-04T03:37:51.889Z",
"dateUpdated": "2025-12-19T14:41:00.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66519 (GCVE-0-2025-66519)
Vulnerability from nvd
Published
2025-12-19 07:27
Modified
2025-12-19 14:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:41:57.541062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:42:10.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003eLayer Import functionality\u003c/strong\u003e. A crafted payload can be injected into the \u003cstrong\u003e\u201cCreate new Layer\u201d\u003c/strong\u003e field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the \u003cstrong\u003eLayers panel\u003c/strong\u003e is accessed.\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the \u201cCreate new Layer\u201d field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:32:26.200Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Layer Import Functionality",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66519",
"datePublished": "2025-12-19T07:27:54.834Z",
"dateReserved": "2025-12-04T03:37:51.888Z",
"dateUpdated": "2025-12-19T14:42:10.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66502 (GCVE-0-2025-66502)
Vulnerability from nvd
Published
2025-12-19 07:25
Modified
2025-12-19 14:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:43:28.925893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:43:38.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003ePage Templates feature\u003c/strong\u003e. A crafted payload can be stored as the \u003cstrong\u003etemplate name\u003c/strong\u003e, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:27:38.146Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Page Templates Feature",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66502",
"datePublished": "2025-12-19T07:25:25.646Z",
"dateReserved": "2025-12-03T01:33:55.298Z",
"dateUpdated": "2025-12-19T14:43:38.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66501 (GCVE-0-2025-66501)
Vulnerability from nvd
Published
2025-12-19 07:23
Modified
2025-12-19 17:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:09:56.590040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T17:12:02.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003ePredefined Text feature of the Foxit eSign section\u003c/strong\u003e. A crafted payload can be stored via the \u003cstrong\u003eIdentity \u201cFirst Name\u201d field\u003c/strong\u003e, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity \u201cFirst Name\u201d field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:27:24.786Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66501",
"datePublished": "2025-12-19T07:23:29.090Z",
"dateReserved": "2025-12-03T01:33:55.298Z",
"dateUpdated": "2025-12-19T17:12:02.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66522 (GCVE-0-2025-66522)
Vulnerability from cvelistv5
Published
2025-12-19 07:34
Modified
2025-12-19 14:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:34:54.934596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:36:38.557Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\nA stored cross-site scripting (XSS) vulnerability exists in the \u003cstrong\u003eDigital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com)\u003c/strong\u003e. The application does not properly sanitize or encode the \u003cstrong\u003eCommon Name\u003c/strong\u003e field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the \u003cstrong\u003eDigital IDs dialog\u003c/strong\u003e is accessed or when the affected PDF is loaded.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Digital IDs functionality of the Foxit PDF Editor Cloud (pdfonline.foxit.com). The application does not properly sanitize or encode the Common Name field of Digital IDs before inserting user-supplied content into the DOM. As a result, embedded HTML or JavaScript may execute whenever the Digital IDs dialog is accessed or when the affected PDF is loaded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:33:02.137Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Digital IDs Common Name Field",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66522",
"datePublished": "2025-12-19T07:34:29.208Z",
"dateReserved": "2025-12-04T03:37:51.889Z",
"dateUpdated": "2025-12-19T14:36:38.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66521 (GCVE-0-2025-66521)
Vulnerability from cvelistv5
Published
2025-12-19 07:33
Modified
2025-12-19 16:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66521",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:38:35.741855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T16:06:20.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\nA stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003eTrusted Certificates feature\u003c/strong\u003e. A crafted payload can be injected as the \u003cstrong\u003ecertificate name\u003c/strong\u003e, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the \u003cstrong\u003eTrusted Certificates\u003c/strong\u003e view is loaded.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Trusted Certificates feature. A crafted payload can be injected as the certificate name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the Trusted Certificates view is loaded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:32:50.377Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Trusted Certificates Feature",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66521",
"datePublished": "2025-12-19T07:33:01.761Z",
"dateReserved": "2025-12-04T03:37:51.889Z",
"dateUpdated": "2025-12-19T16:06:20.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66520 (GCVE-0-2025-66520)
Vulnerability from cvelistv5
Published
2025-12-19 07:30
Modified
2025-12-19 14:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66520",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:40:49.738524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:41:00.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\nA stored cross-site scripting (XSS) vulnerability exists in the \u003cstrong\u003ePortfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com)\u003c/strong\u003e. User-supplied \u003cstrong\u003eSVG files\u003c/strong\u003e are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the \u003cstrong\u003ePortfolio file list\u003c/strong\u003e is rendered.\n\n\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in the Portfolio feature of the Foxit PDF Editor cloud (pdfonline.foxit.com). User-supplied SVG files are not properly sanitized or validated before being inserted into the HTML structure. As a result, embedded HTML or JavaScript within a crafted SVG may execute whenever the Portfolio file list is rendered."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:32:37.658Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Portfolio SVG Handling",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66520",
"datePublished": "2025-12-19T07:30:20.745Z",
"dateReserved": "2025-12-04T03:37:51.889Z",
"dateUpdated": "2025-12-19T14:41:00.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66519 (GCVE-0-2025-66519)
Vulnerability from cvelistv5
Published
2025-12-19 07:27
Modified
2025-12-19 14:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66519",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:41:57.541062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:42:10.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003eLayer Import functionality\u003c/strong\u003e. A crafted payload can be injected into the \u003cstrong\u003e\u201cCreate new Layer\u201d\u003c/strong\u003e field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the \u003cstrong\u003eLayers panel\u003c/strong\u003e is accessed.\u003c/p\u003e"
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the \u201cCreate new Layer\u201d field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:32:26.200Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Layer Import Functionality",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66519",
"datePublished": "2025-12-19T07:27:54.834Z",
"dateReserved": "2025-12-04T03:37:51.888Z",
"dateUpdated": "2025-12-19T14:42:10.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66502 (GCVE-0-2025-66502)
Vulnerability from cvelistv5
Published
2025-12-19 07:25
Modified
2025-12-19 14:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T14:43:28.925893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T14:43:38.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003ePage Templates feature\u003c/strong\u003e. A crafted payload can be stored as the \u003cstrong\u003etemplate name\u003c/strong\u003e, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Page Templates feature. A crafted payload can be stored as the template name, which is later rendered into the DOM without proper sanitization. As a result, the injected script executes each time the affected PDF is loaded."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:27:38.146Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Page Templates Feature",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66502",
"datePublished": "2025-12-19T07:25:25.646Z",
"dateReserved": "2025-12-03T01:33:55.298Z",
"dateUpdated": "2025-12-19T14:43:38.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66501 (GCVE-0-2025-66501)
Vulnerability from cvelistv5
Published
2025-12-19 07:23
Modified
2025-12-19 17:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Foxit Software Inc. | pdfonline.foxit.com |
Version: before 2025‑12‑01 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66501",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T17:09:56.590040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T17:12:02.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pdfonline.foxit.com",
"vendor": "Foxit Software Inc.",
"versions": [
{
"status": "affected",
"version": "before 2025\u201112\u201101"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Novee"
}
],
"datePublic": "2025-11-30T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A stored cross-site scripting (XSS) vulnerability exists in \u003cstrong\u003epdfonline.foxit.com\u003c/strong\u003e within the \u003cstrong\u003ePredefined Text feature of the Foxit eSign section\u003c/strong\u003e. A crafted payload can be stored via the \u003cstrong\u003eIdentity \u201cFirst Name\u201d field\u003c/strong\u003e, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties."
}
],
"value": "A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity \u201cFirst Name\u201d field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Potential arbitrary JavaScript execution"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T09:27:24.786Z",
"orgId": "14984358-7092-470d-8f34-ade47a7658a2",
"shortName": "Foxit"
},
"references": [
{
"url": "https://www.foxit.com/support/security-bulletins.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14984358-7092-470d-8f34-ade47a7658a2",
"assignerShortName": "Foxit",
"cveId": "CVE-2025-66501",
"datePublished": "2025-12-19T07:23:29.090Z",
"dateReserved": "2025-12-03T01:33:55.298Z",
"dateUpdated": "2025-12-19T17:12:02.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}