Foxit Products Stored Cross-Site Scripting Vulnerability in Page Templates Feature

A stored cross-site scripting vulnerability has been identified in Foxit PDF Reader and Foxit PDF Editor within the Page Templates feature. This vulnerability allows a crafted payload to be stored as the template name, which is later rendered into the DOM without proper sanitization. Consequently, the injected script executes each time the affected PDF is loaded. The vulnerability affects Foxit PDF Reader versions through 2025.2.1.33197 and Foxit PDF Editor versions through 2025.2.1.33197, as well as all previous 2025.x versions, 2024.4.1.27687 and all previous 2024.x versions, 2023.3.0.23028 and all previous 2023.x versions, 14.0.1.33197 and all previous 14.x versions, and 13.2.1.23955 and earlier. Additionally, Foxit PDF Editor for Mac 2025.2.1/14.0.1/13.2.1 and Foxit PDF Reader for Mac 2025.2.1 are affected.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Remediation

Users can update to the latest versions of Foxit PDF Reader or Foxit PDF Editor. For Foxit PDF Reader, the latest version can be downloaded from the Foxit website or via the application's update feature. For Foxit PDF Editor, the updated version is also available on the Foxit website or through the application's update option. Foxit PDF Reader for Mac and Foxit PDF Editor for Mac can be updated through the same methods.