CVE-2025-66520 is a stored cross-site scripting (XSS) vulnerability identified in the Portfolio feature of Foxit Software Inc.'s cloud-based PDF Editor service (pdfonline.foxit.com). The vulnerability stems from improper neutralization of user-supplied SVG files, which are embedded directly into the HTML DOM without adequate sanitization or validation. SVG files can contain embedded HTML or JavaScript elements; when maliciously crafted SVGs are uploaded and included in the Portfolio file list, the embedded scripts execute in the context of the victim's browser upon rendering. This can lead to unauthorized disclosure of sensitive information, such as session tokens or user data, due to the high confidentiality impact. The vulnerability requires the attacker to have at least some level of authenticated access (PR:L) and user interaction (UI:R) to trigger the exploit. The CVSS v3.1 base score is 6.3, indicating a medium severity with network attack vector (AV:N), low attack complexity (AC:L), and partial impact on confidentiality (C:H), limited impact on integrity (I:L), and no impact on availability (A:N). No public exploits have been reported yet, but the vulnerability is significant due to the widespread use of Foxit's cloud PDF services in enterprise environments. The flaw is present in versions before December 1, 2025, and remains unpatched at the time of reporting. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks. Exploitation could allow attackers to steal sensitive data, perform actions on behalf of users, or conduct phishing attacks within the trusted domain of the PDF service.

For European organizations, this vulnerability poses a risk primarily to confidentiality, as attackers can execute malicious scripts in users' browsers, potentially stealing session cookies, personal data, or confidential documents accessed via the Foxit PDF Editor cloud service. Organizations relying on Foxit's cloud platform for document management, especially those in regulated industries such as finance, healthcare, and government, could face data breaches or compliance violations. The integrity impact is limited but could allow attackers to manipulate displayed content or perform limited unauthorized actions within the application context. Availability is not affected. Since exploitation requires authenticated access and user interaction, the threat is somewhat mitigated but still significant in environments with many users uploading or sharing SVG content. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks. European entities using Foxit’s cloud services for collaborative document workflows are particularly vulnerable to lateral movement or data exfiltration attempts leveraging this flaw.

1. Apply official patches or updates from Foxit Software as soon as they become available to remediate the vulnerability. 2. Until patches are released, restrict or disable the upload of SVG files in the Portfolio feature to prevent malicious content insertion. 3. Implement strict input validation and sanitization on all user-supplied files, especially SVGs, to remove or neutralize embedded scripts before rendering. 4. Deploy Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of XSS. 5. Educate users about the risks of uploading untrusted SVG files and encourage cautious handling of shared Portfolio files. 6. Monitor logs for unusual activity related to SVG uploads or Portfolio file rendering to detect potential exploitation attempts. 7. Consider isolating or sandboxing the Portfolio rendering environment to limit script execution privileges. 8. Review and tighten authentication and authorization controls to reduce the risk of unauthorized access that could facilitate exploitation.