Foxit Products Stored Cross-Site Scripting Vulnerability in Trusted Certificates Feature

A stored cross-site scripting vulnerability has been identified in Foxit PDF Reader and Foxit PDF Editor within the Trusted Certificates feature. This vulnerability allows for the injection of a crafted payload into the certificate name, which is subsequently rendered in the DOM without adequate sanitization. As a result, the injected script executes each time the Trusted Certificates view is accessed. Affected versions include Foxit PDF Reader 2025.2.1.33197 and earlier, as well as Foxit PDF Editor 2025.2.1.33197 and all previous 2025.x versions, 2024.4.1.27687 and all previous 2024.x versions, 2023.3.0.23028 and all previous 2023.x versions, 14.0.1.33197 and all previous 14.x versions, and 13.2.1.23955 and earlier.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Remediation

Users can update to the latest versions of Foxit PDF Reader or Foxit PDF Editor. For Foxit PDF Reader, the latest version can be downloaded from the Foxit website or via the application's update feature. For Foxit PDF Editor, the updated version is also available on the Foxit website or through the application's update option.