CVE-2025-66519 is a stored cross-site scripting (XSS) vulnerability identified in the Foxit Software Inc. online PDF service pdfonline.foxit.com. The flaw exists in the Layer Import functionality, where the 'Create new Layer' input field does not properly sanitize user-supplied input before rendering it into the Document Object Model (DOM). An attacker can craft a malicious payload and inject it into this field during the layer import process. Because the input is stored, the malicious script executes whenever the Layers panel is accessed by any user viewing the document, leading to persistent XSS. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.3, reflecting medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). This means an attacker with some privileges on the platform can exploit the vulnerability remotely, but requires the victim to interact with the Layers panel to trigger script execution. The primary risk is unauthorized disclosure of sensitive information such as session cookies, credentials, or document data, potentially enabling further attacks like session hijacking or privilege escalation. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed as of December 19, 2025.

For European organizations, this vulnerability poses a significant risk to confidentiality, especially for entities that rely on pdfonline.foxit.com for document collaboration and management. Sensitive corporate or personal data embedded in PDFs could be exposed through script execution, leading to data breaches or compliance violations under GDPR. The requirement for user interaction and privileges limits the ease of exploitation but does not eliminate risk, particularly in environments where multiple users share access or where attackers can gain limited credentials. The integrity impact is low, so document content alteration is less likely, and availability is unaffected. However, the confidentiality breach could facilitate lateral movement or further attacks within an organization. Industries such as finance, legal, and government, which handle sensitive documents, are particularly vulnerable. The absence of known exploits reduces immediate risk but also means organizations should proactively address the vulnerability before exploitation occurs.

Organizations should monitor Foxit Software Inc. for official patches and apply them promptly once available. Until patches are released, restrict access to the Layer Import functionality to trusted users only and limit user privileges to the minimum necessary to reduce exploitation potential. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the 'Create new Layer' input. Conduct regular security training to raise awareness about the risks of interacting with untrusted layers or documents. Additionally, perform input validation and output encoding on any custom integrations or workflows involving pdfonline.foxit.com to prevent injection of malicious scripts. Logging and monitoring access to the Layers panel can help detect suspicious activity. Finally, consider alternative PDF processing tools with stronger security postures if immediate mitigation is not feasible.