PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71164 Typesetter CVE debrief

CVE-2025-71164 is a reflected cross-site scripting (XSS) vulnerability in the Editing component of Typesetter CMS versions up to and including 5.1. The vulnerability occurs because the images parameter, submitted as images[] in a POST request, is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.

Vendor
Typesetter
Product
Unknown
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-14
Original CVE updated
2026-07-14
Advisory published
2026-01-14
Advisory updated
2026-07-14

Who should care

Users of Typesetter CMS versions up to and including 5.1 should apply patches or mitigations to prevent exploitation of this vulnerability. System administrators and security teams responsible for web applications and content management systems should prioritize patching and monitoring for potential attacks.

Technical summary

The vulnerability exists in the Editing component of Typesetter CMS, specifically in the include/tool/Editing.php file. The images parameter is not properly encoded, allowing an attacker to inject malicious JavaScript code. The CVSS score for this vulnerability is 4.8, indicating a medium severity level. This issue arises from the lack of context-aware output encoding for user-supplied input in the images parameter, which can be exploited by an authenticated attacker with editing privileges to execute arbitrary JavaScript in the context of the victim's browser session. Users should prioritize patching and monitoring for potential attacks, focusing on restricting editing privileges to trusted users and implementing additional security controls such as web application firewalls (WAFs).

Defensive priority

Medium priority should be given to patching this vulnerability, as it requires an authenticated attacker with editing privileges to exploit.

Recommended defensive actions

  • Apply patches or updates to Typesetter CMS to version 5.1 or later
  • Implement context-aware output encoding for user-supplied input
  • Monitor for suspicious activity and potential attacks
  • Restrict editing privileges to trusted users
  • Consider implementing additional security controls, such as web application firewalls (WAFs)

Evidence notes

The CVE record was published on 2026-01-14T19:16:47.007Z and last modified on 2026-07-14T23:17:27.850Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify Typesetter CMS versions up to and including 5.1 are patched or mitigated, and monitor for suspicious activity related to the Editing component and images parameter. Further verification is needed to determine the full scope of affected systems and potential exploitation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-14T19:16:47.007Z and has not been modified since then. The NVD entry is currently Analyzed.