CVE-2025-71166

UNKNOWN 0.0

Typesetter CMS Reflected XSS via Move Message Handling

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.

CWE	CWE-79
Vendor	typesetter
Product	typesetter
Published	Jan 14, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for typesetter typesetter

Be the first to know when new unknown vulnerabilities affecting typesetter typesetter are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Typesetter / Typesetter

0 ≤ 5.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Typesetter/Typesetter github.com: https://github.com/Typesetter/Typesetter/issues/707 vulncheck.com: https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-move-message-handling

Credits

Snow1nd Beatriz Fresno Naumova