Cross-Site Scripting Vulnerability in Foxit PDF Editor Cloud Portfolio Feature
CVE-2025-66520

6.3MEDIUM

Key Information:

Vendor: Foxit Inc.
Status: PDFonline.foxit.com
Vendor: CVE Published:; 19 December 2025

What is CVE-2025-66520?

A stored cross-site scripting vulnerability exists in the Portfolio feature of Foxit PDF Editor Cloud. The issue arises when user-supplied SVG files are not properly sanitized or validated prior to being rendered in the application's HTML structure. This oversight allows for the possibility of executing embedded HTML or JavaScript code, which can occur each time the Portfolio file list is displayed, potentially leading to unauthorized actions or data theft.

Affected Version(s)

pdfonline.foxit.com before 2025‑12‑01

References

https://www.foxit.com/support/security-bulletins.html

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 19, 2025
Vulnerability Reserved
Dec 4, 2025

Credit

thisis0xczar from Novee.io

JSON