Foxit Products Stored Cross-Site Scripting Vulnerability in Layer Import Functionality

A stored cross-site scripting vulnerability has been identified in Foxit PDF Reader and Foxit PDF Editor within the Layer Import feature. This vulnerability allows for the injection of a crafted payload into the 'Create new Layer' field during the import process. The injected script is later executed when the Layers panel is accessed, as it is rendered into the DOM without proper sanitization. This issue affects Foxit PDF Reader versions through 2025.2.1.33197 and Foxit PDF Editor versions through 2025.2.1.33197, as well as all previous 2025.x versions, 2024.4.1.27687 and all previous 2024.x versions, 2023.3.0.23028 and all previous 2023.x versions, 14.0.1.33197 and all previous 14.x versions, and 13.2.1.23955 and earlier.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Remediation

Users can update to the latest versions of Foxit PDF Reader or Foxit PDF Editor. For Foxit PDF Reader, the latest version can be downloaded from the Foxit website or via the application's update feature. For Foxit PDF Editor, the updated version is also available on the Foxit website or through the application's update option.