CVE-2026-1591 is a stored cross-site scripting (XSS) vulnerability identified in Foxit Software Inc.'s cloud-based PDF editor service, pdfonline.foxit.com. The flaw exists in the file upload feature where the username associated with an uploaded file is embedded into the upload file list without proper input sanitization or escaping. This improper neutralization of input (CWE-79) allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser when the upload list is rendered. The vulnerability affects all versions of pdfonline.foxit.com prior to the fix released on 2026-02-03. Exploitation requires the attacker to have authenticated access to upload files with malicious usernames, and victims must view the affected upload list for the script to execute. The CVSS 3.1 base score is 6.3, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges and user interaction, and impacting confidentiality highly while integrity is impacted to a lesser extent. Although no exploits have been reported in the wild, the vulnerability could be leveraged to steal session tokens, perform actions on behalf of users, or conduct phishing attacks within the trusted domain. The root cause is insufficient input validation and output encoding in the web application’s rendering logic for user-supplied data. This vulnerability highlights the importance of secure coding practices in cloud-based document management services.

For European organizations, this vulnerability poses a risk primarily to confidentiality and user trust. If exploited, attackers could execute malicious scripts in the context of authenticated users, potentially stealing sensitive information such as session cookies, personal data, or corporate documents accessible via the cloud service. This could lead to unauthorized access to organizational resources or further lateral attacks. The integrity impact is lower but could involve manipulation of displayed content or user interface elements, potentially misleading users. Availability is not directly affected. Given the cloud nature of the service, the attack surface includes any European entity using Foxit PDF Editor Cloud, especially those handling sensitive or regulated data. This could have compliance implications under GDPR if personal data is compromised. The requirement for authenticated access and user interaction limits the attack scope but does not eliminate risk, especially in environments with many users or shared credentials. The medium severity rating suggests a moderate but actionable threat level.

European organizations should immediately verify if they use pdfonline.foxit.com and ensure their instances or accounts are updated to versions released after 2026-02-03 that address this vulnerability. If patching is not immediately possible, implement strict input validation and output encoding on any user-generated content displayed in the application, particularly usernames and file metadata. Employ Content Security Policies (CSP) to restrict the execution of inline scripts and limit sources of executable code, reducing the impact of potential XSS payloads. Educate users to be cautious when interacting with file upload lists and suspicious usernames. Monitor logs for unusual upload activity or attempts to inject scripts. Additionally, enforce strong authentication controls and session management to reduce the risk of credential compromise. Organizations should also consider isolating or sandboxing the affected application components to limit script execution privileges. Regular security assessments and penetration testing focused on web application vulnerabilities can help detect similar issues proactively.