This page lists publicly disclosed CVE vulnerabilities affecting typesettercms typesetter (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-71166 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | [email protected] | 4.8 | 0.06% | 2026-01-14 | 2026-01-21 |
| CVE-2025-71165 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session. | [email protected] | 4.8 | 0.06% | 2026-01-14 | 2026-01-21 |
| CVE-2025-71164 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can supply a JavaScript pseudo-protocol (e.g., javascript:) to trigger arbitrary JavaScript execution in the context of the victim's brow | [email protected] | 4.8 | 0.06% | 2026-01-14 | 2026-01-21 |
| CVE-2022-25523 | TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request. | [email protected] | 8.8 | 0.20% | 2022-03-25 | 2024-11-21 |
| CVE-2020-19511 | Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes, | [email protected] | 6.1 | 0.29% | 2021-06-21 | 2024-11-21 |
| CVE-2020-35126 | Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy. | [email protected] | 4.8 | 0.21% | 2020-12-11 | 2024-11-21 |
| CVE-2020-25790 | Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security policy" and is being fixed for 5.2 | [email protected] | 7.2 | 42.22% | 2020-09-19 | 2024-11-21 |
| CVE-2019-20077 | The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability. | [email protected] | 4.3 | 0.18% | 2020-01-05 | 2024-11-21 |
| CVE-2018-16639 | Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation. | [email protected] | 5.4 | 0.21% | 2019-05-13 | 2024-11-21 |
| CVE-2018-16626 | index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. | [email protected] | 4.8 | 0.24% | 2019-05-13 | 2024-11-21 |
| CVE-2018-16625 | index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. | [email protected] | 4.8 | 0.24% | 2019-05-13 | 2024-11-21 |
| CVE-2018-20837 | include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS. | [email protected] | 4.8 | 0.24% | 2019-05-09 | 2024-11-21 |
| CVE-2018-6889 | An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction. | [email protected] | 8.8 | 2.77% | 2018-02-12 | 2024-11-21 |
| CVE-2018-6888 | An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack of an anti-CSRF token. | [email protected] | 8.0 | 0.13% | 2018-02-12 | 2024-11-21 |