CVE-2026-24127 MEDIUM

CVE-2026-24127: Typemill has Reflected XSS via login error view template

Vendor Typemill
Product typemill
Weakness CWE-79 · XSS
Published January 23, 2026
Last update January 26, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.

Key dates

02Disclosure timeline

January 23, 2026 CVE published
January 26, 2026 Record updated