CVE-2026-1591 is a stored cross-site scripting (XSS) vulnerability identified in Foxit PDF Editor Cloud (pdfonline.foxit.com), specifically within the file upload feature. The vulnerability stems from improper neutralization of input (CWE-79) where a malicious username is embedded into the upload file list without adequate escaping or sanitization. When the upload file list is rendered in the user interface, the embedded JavaScript executes in the context of the victim's browser. This can lead to unauthorized actions such as session hijacking, theft of sensitive information, or execution of arbitrary scripts. The vulnerability affects all versions of pdfonline.foxit.com prior to the fix date of 2026-02-01. Exploitation requires an authenticated user to upload a file with a crafted username and for a victim to view the upload list, thus involving user interaction. The CVSS v3.1 base score is 6.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N. This means the attack can be launched remotely over the network with low attack complexity, requires low privileges (authenticated user), and user interaction is necessary. The impact on confidentiality is high due to potential data exposure, while integrity impact is low and availability is unaffected. No public exploits or widespread attacks have been reported yet. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in cloud-based document management services.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Foxit PDF Editor Cloud for document processing and collaboration. Successful exploitation could lead to unauthorized disclosure of sensitive documents or user credentials, enabling further attacks such as account takeover or lateral movement within the network. Confidentiality is the primary concern, as attackers could steal session tokens or sensitive data displayed in the browser. Integrity impact is limited but could allow attackers to inject misleading information or scripts that alter user experience. Availability is not affected directly. Organizations in regulated sectors such as finance, healthcare, and government are at higher risk due to the sensitivity of their documents and compliance requirements under GDPR. The need for user interaction and authentication reduces the attack surface but does not eliminate risk, especially in environments with many users and frequent file uploads. The vulnerability could also be leveraged in targeted phishing or social engineering campaigns to escalate privileges or gain persistent access.

To mitigate this vulnerability, European organizations should immediately update Foxit PDF Editor Cloud to the patched version released after 2026-02-01. If patching is not immediately possible, implement strict input validation and output encoding on the server side to sanitize usernames and other user-supplied data before rendering. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. Limit user privileges to reduce the risk of malicious uploads and monitor file upload activities for suspicious behavior. Educate users about the risks of interacting with untrusted file lists and encourage cautious behavior when viewing uploaded files. Additionally, consider isolating the pdfonline.foxit.com service within a segmented network zone and enable multi-factor authentication (MFA) to reduce the risk of compromised credentials. Regularly audit logs for signs of exploitation attempts and maintain up-to-date backups to recover from potential incidents.