In response to findings that exposed weaknesses in the way user-supplied data was processed within interactive components, Foxit Software has issued a set of security fixes intended to address newly identified cross-site scripting vulnerabilities.
Due to the flaws in Foxit PDF Editor Cloud and Foxit eSign, maliciously crafted input could be rendered in an unsafe manner in the user’s browser, potentially allowing arbitrary JavaScript execution during authenticated sessions.
The fundamental problem was an inconsistency in input validation and output encoding in some UI elements (most notably file attachment metadata and layer naming logic), which enabled attacker-controlled payloads to persist and be triggered during routine user interactions.
Among these issues, the most important one, CVE-2026-1591, affected the File Attachments list and Layers panel of Foxit PDF Editor Cloud, thus emphasizing the importance of rigorously enforcing client-side trust boundaries in order to prevent the use of seemingly low-risk document features as attack vectors.
These findings were supported by Foxit’s confirmation that the identified weaknesses were related to a specific way in which certain client-side components handled untrusted input within a cloud environment. Affected functionality allowed for the processing of user-controlled values — specifically file attachment names and PDF layer identifiers — without sufficient validation or encoding prior to rendering in the browser.
By injecting carefully constructed payloads into the application’s HTML context, carefully constructed payloads could be executed upon the interaction between an authenticated user and the affected interface components. In response to these security deficiencies, Foxit published its latest security updates, which it described as routine security and stability enhancements that require no remediation other than ensuring deployments are up to date.
The advisory also identifies two vulnerabilities, tracked as CVE-2026-1591 and CVE-2026-1592, which are both classified under CWE-79 for cross-site scripting vulnerabilities. Each vulnerability has a CVSS v3.0 score of 6.3 and is rated Moderate in severity according to the advisory.
Foxit PDF Editor Cloud is impacted by CVE-2026-1591, which has a significant impact on its File Attachments and Layers panels due to insufficient input validation and improper output encoding which can allow arbitrary JavaScript execution from the browser.
The vulnerability CVE-2026-1592 poses a comparable risk through similar paths to data handling. Both vulnerabilities were identified and responsibly disclosed by Novee, a security researcher.
However, the potential consequences of exploitation are not trivial, even if user interaction is required. In order to inject a script into a trusted browser context, an attacker would have to persuade a logged-in user to open or interact with a specially crafted attachment or altered layer configuration.
By executing this script, an attacker can hijack a session, obtain unauthorized access to sensitive document data, or redirect the user to an attacker-controlled resource. As a result, the client-side trust assumptions made by document collaboration platforms pose a broader risk, particularly where dynamic document metadata is not rigorously sanitized.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: