CVE-2025-71164

UNKNOWN 0.0

Typesetter CMS Reflected XSS via Editing.php

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.

CWE	CWE-79
Vendor	typesetter
Product	typesetter
Published	Jan 14, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for typesetter typesetter

Be the first to know when new unknown vulnerabilities affecting typesetter typesetter are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Typesetter / Typesetter

0 ≤ 5.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Typesetter/Typesetter github.com: https://github.com/Typesetter/Typesetter/issues/706 vulncheck.com: https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php

Credits

Snow1nd Beatriz Fresno Naumova