CVE-2026-1592
📋 TL;DR
Foxit PDF Editor Cloud (pdfonline) has a stored cross-site scripting vulnerability in the Create New Layer feature. Unsanitized user input allows attackers to inject malicious JavaScript that executes when other users view the affected layer. This affects all users of pdfonline.foxit.com before February 3, 2026.
💻 Affected Systems
- Foxit PDF Editor Cloud (pdfonline)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts through credential theft.
Likely Case
Attackers create malicious layers that execute JavaScript in victims' browsers, potentially stealing session tokens or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the vulnerability is prevented and no exploitation occurs.
🎯 Exploit Status
Exploitation requires creating a malicious layer, which typically requires authentication. The vulnerability is stored XSS, making it persistent.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version deployed on or after 2026-02-03
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: No
Instructions:
1. Access pdfonline.foxit.com. 2. The cloud service should automatically update. 3. Verify the version is from February 3, 2026 or later. 4. No user action required for cloud updates.
🔧 Temporary Workarounds
Disable Layer Creation
allTemporarily restrict user permissions to prevent creation of new layers until patched.
Content Security Policy
allImplement CSP headers to restrict script execution from untrusted sources.
🧯 If You Can't Patch
- Implement web application firewall rules to block XSS payloads in layer creation requests.
- Monitor for suspicious layer creation activities and review user-generated content regularly.
🔍 How to Verify
Check if Vulnerable:
Test by creating a new layer with a simple XSS payload like <script>alert('test')</script> and check if it executes when viewing the layer.Check Version:
Check the website footer or about page on pdfonline.foxit.com for version/date information.Verify Fix Applied:
Attempt the same XSS test after the patch; the payload should be properly sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual layer creation patterns
- Requests containing script tags or JavaScript in layer parameters
Network Indicators:
- HTTP requests with suspicious payloads in POST data to layer creation endpoints
SIEM Query:
source="web_logs" AND (url_path="/api/layer/create" OR url_path="/layer/create") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")