PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71166 Typesetter CVE debrief

CVE-2025-71166 is a reflected cross-site scripting (XSS) vulnerability in the administrative interface of Typesetter CMS versions up to and including 5.1. The vulnerability exists within the Tools Status move message handling and is caused by improper output encoding of the path parameter in include/admin/Tools/Status.php. An authenticated attacker can exploit this vulnerability by supplying crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.

Vendor
Typesetter
Product
Unknown
CVSS
MEDIUM 4.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-14
Original CVE updated
2026-07-14
Advisory published
2026-01-14
Advisory updated
2026-07-14

Who should care

Administrators and users of Typesetter CMS versions up to and including 5.1 should be aware of this vulnerability and take necessary steps to mitigate it. This vulnerability requires authentication and could be used to compromise user sessions.

Technical summary

The vulnerability is a reflected XSS in the administrative interface of Typesetter CMS versions up to and including 5.1. It is located in the Tools Status move message handling and is caused by the lack of proper output encoding of the path parameter in include/admin/Tools/Status.php. This allows an authenticated attacker to inject malicious HTML or JavaScript code, which will be executed in the context of an authenticated user's browser session. Affected product deployments should be identified and prioritized for patching. The vulnerability requires authentication and has a CVSS score of 4.8, indicating a Medium severity. To mitigate this vulnerability, it is essential to apply the patch or update Typesetter CMS to a version beyond 5.1.

Defensive priority

Medium priority should be given to patching this vulnerability, as it requires authentication and could lead to session compromise.

Recommended defensive actions

  • Apply the patch or update Typesetter CMS to a version beyond 5.1.
  • Implement additional security measures such as input validation and output encoding for user-supplied data.
  • Monitor for suspicious activity and implement compensating controls such as web application firewalls.
  • Conduct regular security audits and vulnerability assessments.
  • Review and update asset inventory to ensure all affected systems are accounted for.
  • Establish a rollback change window for emergency patches.
  • Track the source of vulnerability reports and updates.

Evidence notes

The CVE record was published on 2026-01-14T19:16:47.300Z and was last modified on 2026-07-14T23:17:28.137Z. The NVD entry is currently Analyzed. The vulnerability has a CVSS score of 4.8 and a severity of MEDIUM.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-14T19:16:47.300Z and has not been modified since then. The NVD entry is currently Analyzed.