Typesetter CMS Reflected XSS via Editing Component (CVE-2025-71164)

Author: Beatriz Fresno Naumova (beafn28), Snow1nd

Date: 14/01/2026

Vendor: Typesetter CMS

Product: Typesetter CMS

Versions affected: ≤ 5.1

Component: Editing component (include/tool/Editing.php)

CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS)

Attack type: Remote

Impact: Cross-Site Scripting (XSS)

Description

Typesetter CMS versions up to and including 5.1 contain a reflected Cross-Site Scripting (XSS) vulnerability in the Editing component. The images[] parameter, submitted via a POST request, is reflected into an HTML href attribute without proper context-aware output encoding.

An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:), resulting in arbitrary JavaScript execution within the context of the victim’s browser session. This may allow session hijacking, execution of unauthorized actions, or further compromise of the administrative interface.

Impact

Primary impact:

Execution of arbitrary JavaScript in the victim’s browser session

Consequences:

Session hijacking
Unauthorized actions performed on behalf of the victim
Potential escalation to further administrative compromise

CVSS Details

CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Base Score: 4.8 (Medium)

Solution

No official fix is currently available, as the project appears to be no longer actively maintained.

Recommendation:

Restrict access to editing functionality to trusted users only
Apply strict context-aware output encoding for all user-supplied input
Avoid allowing pseudo-protocols such as javascript: in HTML attributes

Mitigation

Properly escape and encode user-controlled input before rendering it in HTML attributes
Implement server-side input validation and output encoding
Conduct regular security reviews of administrative components

Discoverer

Beatriz Fresno Naumova (beafn28)

Snow1nd

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-71164
VulnCheck: https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php
Typesetter: https://github.com/Typesetter/Typesetter

PreviousnopCommerce <= 4.70 and 4.80.3 – Insufficient Session Cookie Invalidation (CVE-2025-11699)NextTypesetter CMS Reflected XSS via Status.php (CVE-2025-71165)

Last updated 2 hours ago

hashtagDescription

hashtagImpact

hashtagCVSS Details

hashtagSolution

hashtagMitigation

hashtagDiscoverer

hashtagReferences