PatchSiren

Typesetter CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Typesetter CVE published 2026-01-14

CVE-2025-71166

CVE-2025-71166 is a reflected cross-site scripting (XSS) vulnerability in the administrative interface of Typesetter CMS versions up to and including 5.1. The vulnerability exists within the Tools Status move message handling and is caused by improper output encoding of the path parameter in include/admin/Tools/Status.php. An authenticated attacker can exploit this vulnerability by supplying crafted input [truncated]

MEDIUM Typesetter CVE published 2026-01-14

CVE-2025-71165

A reflected cross-site scripting (XSS) vulnerability exists in Typesetter CMS versions up to and including 5.1 within the administrative interface's Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php, allowing an authenticated attacker to supply crafted input containing HTML or JavaScript, resulting in arbitra [truncated]

MEDIUM Typesetter CVE published 2026-01-14

CVE-2025-71164

CVE-2025-71164 is a reflected cross-site scripting (XSS) vulnerability in the Editing component of Typesetter CMS versions up to and including 5.1. The vulnerability occurs because the images parameter, submitted as images[] in a POST request, is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges [truncated]