Critical Vulnerabilities in Foxit PDF Editor Expose Users to Arbitrary JavaScript Execution
Foxit Software has recently addressed significant security vulnerabilities in its PDF Editor Cloud platform, which could have allowed attackers to execute arbitrary JavaScript code within users’ browsers. These vulnerabilities, identified as CVE-2026-1591 and CVE-2026-1592, were discovered in the application’s File Attachments list and Layers panel. The root cause was insufficient input validation and improper output encoding, creating potential pathways for malicious code execution.
Understanding the Vulnerabilities
Both CVE-2026-1591 and CVE-2026-1592 are classified under CWE-79, denoting Cross-site Scripting (XSS) vulnerabilities. They have been assigned a CVSS 3.0 score of 6.3, indicating a moderate severity level. The vulnerabilities arise from inadequate sanitization of user inputs in layer names and attachment file names. When users interact with these crafted payloads through the File Attachments list or Layers panel, the application fails to properly encode untrusted input before embedding it into the HTML structure. This oversight enables arbitrary JavaScript execution within the user’s browser context.
Potential Impact
Exploitation of these vulnerabilities could grant attackers access to sensitive information visible to the authenticated user, including document contents and session data. While the attack requires user interaction and authenticated access, which somewhat limits the attack surface, the moderate severity rating reflects the realistic threat posed by these XSS flaws in a widely-used PDF editing application.
Remediation and Response
In response to these findings, Foxit has released security patches as part of the February 3, 2026 update to Foxit PDF Editor Cloud. For Cloud versions, no user action is required, as updates are deployed automatically. Users of desktop versions should check for available updates through the application’s update mechanism to ensure they are running the latest patched version.
Organizations utilizing Foxit PDF Editor are advised to verify that their installations are up-to-date. Additionally, reviewing file handling practices and limiting user access to PDF editing features where appropriate within organizational security policies is recommended.
For further security inquiries, Foxit’s Security Response Team can be reached at [email protected]. Additional security advisories and vulnerability reporting information are available on Foxit’s official security page.
