CVE-2025-66519 is a stored cross-site scripting (XSS) vulnerability identified in Foxit Software Inc.'s online PDF service, pdfonline.foxit.com. The vulnerability resides in the Layer Import functionality, where the 'Create new Layer' input field improperly sanitizes user-supplied data. An attacker can craft a malicious payload and inject it into this field during the layer import process. Because the input is stored and later rendered directly into the Document Object Model (DOM) without adequate neutralization, the malicious script executes when a user accesses the Layers panel. This stored XSS flaw allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session, potentially leading to theft of sensitive information such as authentication tokens, session cookies, or other confidential data. The vulnerability requires the attacker to have low privileges (PR:L) and user interaction (UI:R) to trigger the payload, but no physical access or elevated privileges are necessary. The CVSS 3.1 base score is 6.3, reflecting a medium severity with high confidentiality impact, low integrity impact, and no availability impact. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and affects all versions of pdfonline.foxit.com before December 1, 2025. The lack of a patch link indicates that a fix may still be pending or in development. Given the widespread use of Foxit's PDF tools in enterprise and government sectors, this vulnerability poses a tangible risk if exploited.

For European organizations, the exploitation of this stored XSS vulnerability could lead to unauthorized disclosure of sensitive information, including session tokens and confidential document data, compromising user accounts and internal workflows. Since pdfonline.foxit.com is a cloud-based service used for PDF manipulation, attackers could leverage this vulnerability to perform targeted attacks against employees or partners who access the Layers panel, potentially facilitating further phishing or lateral movement within networks. The medium severity score reflects moderate risk, but the high confidentiality impact is significant for sectors handling sensitive or regulated data, such as finance, healthcare, and government. The requirement for user interaction and low privilege reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks. Additionally, the absence of known exploits in the wild suggests that organizations have a window to implement mitigations before active exploitation occurs. However, failure to address this vulnerability could result in data breaches, reputational damage, and regulatory penalties under GDPR and other data protection laws.

European organizations should prioritize the following measures: 1) Monitor Foxit Software Inc. announcements and promptly apply patches or updates once released to address CVE-2025-66519. 2) Implement strict input validation and sanitization controls on any user-generated content fields, especially those related to document layer creation or import, to prevent injection of malicious scripts. 3) Restrict access to the Layer Import functionality to trusted users only, minimizing exposure to untrusted or external actors. 4) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within browsers accessing pdfonline.foxit.com. 5) Conduct user awareness training to recognize and report suspicious behavior related to document handling. 6) Monitor logs and network traffic for unusual activity associated with the Layers panel or PDF manipulation workflows. 7) Consider isolating or sandboxing browser sessions when accessing pdfonline.foxit.com to reduce the impact of potential XSS payloads. 8) Evaluate alternative PDF processing tools with stronger security postures if immediate patching is not feasible.