CVE-2025-66501 is a stored cross-site scripting (XSS) vulnerability identified in the Foxit Software Inc. online PDF service, pdfonline.foxit.com, specifically within the Predefined Text feature of the Foxit eSign section. The vulnerability arises because the 'First Name' field in the Identity section accepts input that is stored and later injected into the Document Object Model (DOM) without proper sanitization or encoding. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious payload that, when stored, executes arbitrary JavaScript code in the context of the victim's browser upon viewing predefined text or document properties. The CVSS 3.1 base score is 6.3, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring low privileges and user interaction, and impacting confidentiality highly, integrity to a lesser extent, and no availability impact. The vulnerability affects versions of the service before December 1, 2025. Although no known exploits are reported in the wild, the stored nature of the XSS makes it particularly dangerous as the malicious script can persist and affect multiple users. The flaw can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim. The vulnerability is rooted in insufficient input validation and output encoding in the web application’s handling of user-supplied data in the eSign workflow.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive documents and user credentials handled via Foxit's pdfonline eSign service. Exploitation could allow attackers to execute scripts that steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, potentially leading to data breaches or unauthorized document modifications. Organizations relying on Foxit's eSign for legally binding document workflows may face compliance and reputational risks if attackers exploit this vulnerability. The medium severity rating reflects the need for user interaction and low privilege requirements, but the stored nature increases the attack surface, especially in collaborative environments where multiple users access shared documents. The absence of known exploits suggests a window for proactive mitigation. However, the widespread use of Foxit products in Europe, particularly in sectors like legal, finance, and government, amplifies the potential impact.

1. Monitor Foxit Software Inc. communications for official patches addressing CVE-2025-66501 and apply them promptly once released. 2. Until patches are available, restrict user input in the 'First Name' field by implementing server-side input validation to disallow HTML or script tags. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the pdfonline.foxit.com domain. 4. Educate users to be cautious when interacting with predefined text or document properties, especially from untrusted sources. 5. Limit privileges of users who can input or modify identity fields to reduce the risk of malicious payload injection. 6. Conduct regular security assessments and penetration testing focusing on web application input sanitization and output encoding. 7. Implement web application firewalls (WAF) with rules targeting XSS payload patterns to detect and block exploitation attempts. 8. Review and enhance logging and monitoring to detect anomalous activities related to document property views or eSign workflows.