Typesetter CMS Reflected XSS via Status.php (CVE-2025-71165)

Author: Beatriz Fresno Naumova (beafn28), Snow1nd

Date: 14/01/2026

Vendor: Typesetter CMS

Product: Typesetter CMS

Versions affected: ≤ 5.1

Component: Administrative interface – Tools / Status (include/admin/Tools/Status.php)

CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation (XSS)

Attack type: Remote

Impact: Cross-Site Scripting (XSS)

Description

Typesetter CMS versions up to and including 5.1 contain a reflected Cross-Site Scripting (XSS) vulnerability in the administrative interface, specifically within the Tools / Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php.

An authenticated attacker can supply crafted input containing malicious HTML or JavaScript code, which is then executed in the context of the authenticated user's browser session. This may allow the attacker to perform unauthorized actions, hijack sessions, or further compromise the administrative environment.

Impact

Primary impact:

Execution of arbitrary JavaScript in an authenticated user’s browser session

Consequences:

Session hijacking
Unauthorized administrative actions
Potential escalation to broader application compromise

CVSS Details

CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Base Score: 4.8 (Medium)

Solution

No official fix is currently available, as the project appears to be no longer actively maintained.

Recommendation:

Limit access to administrative interfaces to trusted users only
Apply proper context-aware output encoding for all user-supplied input
Sanitize and validate parameters reflected in HTML responses

Mitigation

Implement strict output encoding for variables reflected in HTML content
Avoid reflecting user-controlled input directly into administrative pages
Conduct periodic security reviews of administrative components

Discoverer

Beatriz Fresno Naumova (beafn28)

Snow1nd

References

CVE Record: https://www.cve.org/CVERecord?id=CVE-2025-71165
VulnCheck: https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php
Typesetter: https://github.com/Typesetter/Typesetter

PreviousTypesetter CMS Reflected XSS via Editing Component (CVE-2025-71164)NextTypesetter CMS Reflected XSS via Move Message Handling (CVE-2025-71166)

Last updated 2 hours ago

hashtagDescription

hashtagImpact

hashtagCVSS Details

hashtagSolution

hashtagMitigation

hashtagDiscoverer

hashtagReferences