CVE-2025-66519 MEDIUM

CVE-2025-66519: Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Layer Import Functionality

Vendor Foxit Software Inc.
Product pdfonline.foxit.com
Weakness CWE-79 · XSS
Published December 19, 2025
Last update December 19, 2025
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability exists in pdfonline.foxit.com within the Layer Import functionality. A crafted payload can be injected into the “Create new Layer” field during layer import and is later rendered into the DOM without proper sanitization. As a result, the injected script executes when the Layers panel is accessed.

Key dates

02Disclosure timeline

December 19, 2025 CVE published
December 19, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-0609 XSS in Logo Software's Logo Cloud CVE-2022-29923 WordPress Quick Restaurant Reservations plugin <= 1.4.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability CVE-2026-39636 WordPress Livemesh Addons for Elementor plugin <= 9.0 - Cross Site Scripting (XSS) vulnerability CVE-2021-24168 Easy Contact Form Pro < 1.1.1.9 - Authenticated Stored Cross-Site Scripting (XSS) CVE-2025-13900 WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute