Vulnerability Details CVE-2025-71164
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's browser session.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 21.1%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2025-71164
-
cpe:2.3:a:typesettercms:typesetter:4.6
-
cpe:2.3:a:typesettercms:typesetter:4.6.1
-
cpe:2.3:a:typesettercms:typesetter:5.0
-
cpe:2.3:a:typesettercms:typesetter:5.0.1
-
cpe:2.3:a:typesettercms:typesetter:5.1