PatchSiren cyber security CVE debrief
CVE-2025-71166 Typesetter CVE debrief
CVE-2025-71166 is a reflected cross-site scripting (XSS) vulnerability in the administrative interface of Typesetter CMS versions up to and including 5.1. The vulnerability exists within the Tools Status move message handling and is caused by improper output encoding of the path parameter in include/admin/Tools/Status.php. An authenticated attacker can exploit this vulnerability by supplying crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.
- Vendor
- Typesetter
- Product
- Unknown
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-01-14
- Advisory updated
- 2026-07-14
Who should care
Administrators and users of Typesetter CMS versions up to and including 5.1 should be aware of this vulnerability and take necessary steps to mitigate it. This vulnerability requires authentication and could be used to compromise user sessions.
Technical summary
The vulnerability is a reflected XSS in the administrative interface of Typesetter CMS versions up to and including 5.1. It is located in the Tools Status move message handling and is caused by the lack of proper output encoding of the path parameter in include/admin/Tools/Status.php. This allows an authenticated attacker to inject malicious HTML or JavaScript code, which will be executed in the context of an authenticated user's browser session. Affected product deployments should be identified and prioritized for patching. The vulnerability requires authentication and has a CVSS score of 4.8, indicating a Medium severity. To mitigate this vulnerability, it is essential to apply the patch or update Typesetter CMS to a version beyond 5.1.
Defensive priority
Medium priority should be given to patching this vulnerability, as it requires authentication and could lead to session compromise.
Recommended defensive actions
- Apply the patch or update Typesetter CMS to a version beyond 5.1.
- Implement additional security measures such as input validation and output encoding for user-supplied data.
- Monitor for suspicious activity and implement compensating controls such as web application firewalls.
- Conduct regular security audits and vulnerability assessments.
- Review and update asset inventory to ensure all affected systems are accounted for.
- Establish a rollback change window for emergency patches.
- Track the source of vulnerability reports and updates.
Evidence notes
The CVE record was published on 2026-01-14T19:16:47.300Z and was last modified on 2026-07-14T23:17:28.137Z. The NVD entry is currently Analyzed. The vulnerability has a CVSS score of 4.8 and a severity of MEDIUM.
Official resources
-
CVE-2025-71166 CVE record
CVE.org
-
CVE-2025-71166 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Source reference
[email protected] - Exploit, Issue Tracking
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-01-14T19:16:47.300Z and has not been modified since then. The NVD entry is currently Analyzed.