PatchSiren cyber security CVE debrief
CVE-2025-71164 Typesetter CVE debrief
CVE-2025-71164 is a reflected cross-site scripting (XSS) vulnerability in the Editing component of Typesetter CMS versions up to and including 5.1. The vulnerability occurs because the images parameter, submitted as images[] in a POST request, is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.
- Vendor
- Typesetter
- Product
- Unknown
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-01-14
- Advisory updated
- 2026-07-14
Who should care
Users of Typesetter CMS versions up to and including 5.1 should apply patches or mitigations to prevent exploitation of this vulnerability. System administrators and security teams responsible for web applications and content management systems should prioritize patching and monitoring for potential attacks.
Technical summary
The vulnerability exists in the Editing component of Typesetter CMS, specifically in the include/tool/Editing.php file. The images parameter is not properly encoded, allowing an attacker to inject malicious JavaScript code. The CVSS score for this vulnerability is 4.8, indicating a medium severity level. This issue arises from the lack of context-aware output encoding for user-supplied input in the images parameter, which can be exploited by an authenticated attacker with editing privileges to execute arbitrary JavaScript in the context of the victim's browser session. Users should prioritize patching and monitoring for potential attacks, focusing on restricting editing privileges to trusted users and implementing additional security controls such as web application firewalls (WAFs).
Defensive priority
Medium priority should be given to patching this vulnerability, as it requires an authenticated attacker with editing privileges to exploit.
Recommended defensive actions
- Apply patches or updates to Typesetter CMS to version 5.1 or later
- Implement context-aware output encoding for user-supplied input
- Monitor for suspicious activity and potential attacks
- Restrict editing privileges to trusted users
- Consider implementing additional security controls, such as web application firewalls (WAFs)
Evidence notes
The CVE record was published on 2026-01-14T19:16:47.007Z and last modified on 2026-07-14T23:17:27.850Z. The NVD entry is currently Analyzed. Evidence is limited to CVE and NVD information. Defenders should verify Typesetter CMS versions up to and including 5.1 are patched or mitigated, and monitor for suspicious activity related to the Editing component and images parameter. Further verification is needed to determine the full scope of affected systems and potential exploitation.
Official resources
-
CVE-2025-71164 CVE record
CVE.org
-
CVE-2025-71164 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-14T19:16:47.007Z and has not been modified since then. The NVD entry is currently Analyzed.