Typesetter CMS Reflected XSS via Move Message Handling

Advisories

severity: medium
date: January 14, 2026
Affecting: Typesetter <= 5.1
This project appears to no longer be maintained
CVE: CVE-2025-71166
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
CVSS: 4.8
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References: Typesetter GitHub Issue
Credit: Snow1nd, Beatriz Fresno Naumova
Description: Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.