# Typesetter CMS Reflected XSS via Editing Component (CVE-2025-71164)

**Author:** Beatriz Fresno Naumova (beafn28), Snow1nd

**Date:** 14/01/2026

**Vendor:** Typesetter CMS

**Product:** Typesetter CMS

**Versions affected:** ≤ 5.1

**Component:** Editing component (`include/tool/Editing.php`)

**CWE:** CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS)

**Attack type:** Remote

**Impact:** Cross-Site Scripting (XSS)

#### Description

Typesetter CMS versions up to and including 5.1 contain a reflected Cross-Site Scripting (XSS) vulnerability in the *Editing* component. The `images[]` parameter, submitted via a POST request, is reflected into an HTML `href` attribute without proper context-aware output encoding.

An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., `javascript:`), resulting in arbitrary JavaScript execution within the context of the victim’s browser session. This may allow session hijacking, execution of unauthorized actions, or further compromise of the administrative interface.

#### Impact

**Primary impact:**

* Execution of arbitrary JavaScript in the victim’s browser session

**Consequences:**

* Session hijacking
* Unauthorized actions performed on behalf of the victim
* Potential escalation to further administrative compromise

#### CVSS Details

**CVSS v4.0 Vector:**\
`CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`

**Base Score:** 4.8 (Medium)

#### Solution

No official fix is currently available, as the project appears to be no longer actively maintained.

**Recommendation:**

* Restrict access to editing functionality to trusted users only
* Apply strict context-aware output encoding for all user-supplied input
* Avoid allowing pseudo-protocols such as `javascript:` in HTML attributes

#### Mitigation

* Properly escape and encode user-controlled input before rendering it in HTML attributes
* Implement server-side input validation and output encoding
* Conduct regular security reviews of administrative components

#### Discoverer

Beatriz Fresno Naumova (beafn28)

Snow1nd

#### References

* **CVE Record:** <https://www.cve.org/CVERecord?id=CVE-2025-71164>
* **VulnCheck:** <https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php>
* **Typesetter:** <https://github.com/Typesetter/Typesetter>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/typesetter-cms-reflected-xss-via-editing-component-cve-2025-71164.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.