Foxit eSign Cross-Site Scripting Vulnerability Allowing Arbitrary Script Execution
Vulnerability
A cross-site scripting vulnerability has been identified in Foxit eSign, specifically on the na1.foxitesign.foxit.com domain, prior to January 16, 2026. This vulnerability allows authenticated users to inject arbitrary scripts by exploiting improper handling of URL parameters. The untrusted input can be embedded into JavaScript code or HTML attributes without adequate encoding or sanitization, potentially leading to the execution of malicious JavaScript in the user's browser.
Impact
Exploitation of this vulnerability could result in the execution of arbitrary JavaScript in the context of the user's browser.
Remediation
Foxit eSign has been updated to address this vulnerability by implementing proper input validation and output encoding to prevent the injection and execution of malicious scripts. Users can contact the Foxit Security Response Team for more information.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.