CVE-2025-66501 MEDIUM

CVE-2025-66501: Foxit pdfonline.foxit.com Stored Cross-Site Scripting in eSign Predefined Text Feature

Vendor Foxit Software Inc.

Product pdfonline.foxit.com

Weakness CWE-79 · XSS

Published December 19, 2025

Last update December 19, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Predefined Text feature of the Foxit eSign section. A crafted payload can be stored via the Identity “First Name” field, which is later rendered into the DOM without proper sanitization. As a result, the injected script may execute when predefined text is used or when viewing document properties.

Key dates

02Disclosure timeline

December 19, 2025 CVE published

December 19, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-66501 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2025-66501

CWE CWE-79

CVSS 6.3 / MEDIUM

Affected versions