CVE-2025-71166 is a reflected cross-site scripting (XSS) vulnerability in the administrative interface of Typesetter CMS versions up to and including 5.1. The vulnerability exists within the Tools Status move message handling and is caused by improper output encoding of the path parameter in include/admin/Tools/Status.php. An authenticated attacker can exploit this vulnerability by supplying crafted input [truncated]
A reflected cross-site scripting (XSS) vulnerability exists in Typesetter CMS versions up to and including 5.1 within the administrative interface's Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php, allowing an authenticated attacker to supply crafted input containing HTML or JavaScript, resulting in arbitra [truncated]
CVE-2025-71164 is a reflected cross-site scripting (XSS) vulnerability in the Editing component of Typesetter CMS versions up to and including 5.1. The vulnerability occurs because the images parameter, submitted as images[] in a POST request, is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges [truncated]