CVE-2025-71164 MEDIUM

CVE-2025-71164: Typesetter CMS Reflected XSS via Editing.php

Vendor Typesetter
Product Typesetter
Weakness CWE-79 · XSS
Published January 14, 2026
Last update May 14, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.

Key dates

02Disclosure timeline

January 14, 2026 CVE published
May 14, 2026 Record updated