CVE-2025-66501 is a stored cross-site scripting (XSS) vulnerability identified in Foxit Software Inc.'s pdfonline.foxit.com platform, specifically within the Predefined Text feature of the Foxit eSign section. The vulnerability stems from improper neutralization of user input in the 'First Name' field of the Identity section. When a malicious actor submits a crafted payload in this field, the input is stored and later rendered into the Document Object Model (DOM) without adequate sanitization or encoding. This flaw allows the injected JavaScript code to execute in the context of the victim's browser when predefined text is used or when viewing document properties. The vulnerability requires the attacker to have low privileges (PR:L) and some user interaction (UI:R), such as viewing the affected document or predefined text. The attack vector is network-based (AV:N), meaning it can be exploited remotely. The impact is primarily on confidentiality (C:H), as the attacker could steal sensitive information or session tokens, with limited impact on integrity (I:L) and no impact on availability (A:N). The vulnerability affects versions of pdfonline.foxit.com before December 1, 2025. No patches were listed at the time of publication, and no known exploits are currently reported in the wild. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS attacks. Given the nature of the vulnerability, it could be leveraged for phishing, session hijacking, or data exfiltration attacks within affected environments.

For European organizations, the exploitation of CVE-2025-66501 could lead to significant confidentiality breaches, including unauthorized access to sensitive document data, user credentials, or session tokens. Since the vulnerability resides in an online PDF and eSign service, attackers could target business workflows involving digital signatures and document management, potentially compromising legally sensitive documents or contracts. The medium severity score reflects that while availability and integrity impacts are limited, the confidentiality impact is high, which is critical for compliance with GDPR and other data protection regulations in Europe. Exploitation could result in reputational damage, regulatory fines, and operational disruptions if sensitive information is leaked or manipulated. Additionally, since the attack requires some user interaction, social engineering could be used to increase the success rate. Organizations relying heavily on Foxit's pdfonline service for document processing and eSignatures are at higher risk, especially those in sectors like finance, legal, and government where document confidentiality is paramount.

European organizations should prioritize the following mitigations: 1) Monitor Foxit’s official channels for security patches and apply updates to pdfonline.foxit.com promptly once available. 2) Implement strict input validation and output encoding on all user-supplied data fields, especially in eSign workflows, to prevent script injection. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the web application. 4) Conduct regular security assessments and penetration testing focused on web application vulnerabilities, including stored XSS. 5) Educate users about the risks of interacting with untrusted documents or links, reducing the likelihood of successful social engineering. 6) Use web application firewalls (WAFs) configured to detect and block XSS payloads targeting the affected service. 7) Review and restrict user privileges to minimize the ability of low-privilege users to inject malicious content. 8) Log and monitor unusual activities related to document properties and predefined text usage to detect potential exploitation attempts early.