CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-71166

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 21.1%

CVSS Severity

CVSS v3 Score 5.4

References

Products affected by CVE-2025-71166

Typesettercms » Typesetter » Version: 4.6

cpe:2.3:a:typesettercms:typesetter:4.6
Typesettercms » Typesetter » Version: 4.6.1

cpe:2.3:a:typesettercms:typesetter:4.6.1
Typesettercms » Typesetter » Version: 5.0

cpe:2.3:a:typesettercms:typesetter:5.0
Typesettercms » Typesetter » Version: 5.0.1

cpe:2.3:a:typesettercms:typesetter:5.0.1
Typesettercms » Typesetter » Version: 5.1

cpe:2.3:a:typesettercms:typesetter:5.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-71166

Products

Pricing

Contact Us