CVE-2026-1591 | THREATINT

Description

Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03.

PUBLISHED Reserved 2026-01-29 | Published 2026-02-03 | Updated 2026-02-03 | Assigner Foxit

MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

before 2026‑02‑03

affected

Credits

Novee finder

References

www.foxit.com/support/security-bulletins.html

cve.org (CVE-2026-1591)

nvd.nist.gov (CVE-2026-1591)

Download JSON