CVE-2026-1591 MEDIUM

CVE-2026-1591: Stored XSS via Attachments Feature in https://pdfonline.foxit.com/

Vendor Foxit Software Inc.
Product pdfonline.foxit.com
Weakness CWE-79 · XSS
Published February 3, 2026
Last update February 3, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 3, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-2483 Gift Certificate Creator <= 1.1.0 - Reflected Cross-Site Scripting via receip_address Parameter CVE-2023-1776 Stored XSS via SVG attachment on Boards CVE-2024-10478 LinZhaoguan pb-cms Edit Article edit cross site scripting CVE-2025-64224 WordPress Grand Conference Theme Custom Post Type plugin < 2.6.4 - Cross Site Scripting (XSS) vulnerability CVE-2024-9443 Basticom Framework <= 1.5.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload