CVE-2025-71164 – Typesetter CMS versions up to 5.1 contain a ref... (How to Fix)

Q: What is the severity of CVE-2025-71164?

CVE-2025-71164 has a CVSS score of 5.4 (MEDIUM). Typesetter CMS versions up to 5.1 contain a reflected XSS vulnerability in the Editing component where the images parameter is improperly sanitized. An authenticated attacker with editing privileges can inject malicious JavaScript that executes in victims' browsers. This affects all Typesetter CMS installations running vulnerable versions.

📋 TL;DR

Typesetter CMS versions up to 5.1 contain a reflected XSS vulnerability in the Editing component where the images parameter is improperly sanitized. An authenticated attacker with editing privileges can inject malicious JavaScript that executes in victims' browsers. This affects all Typesetter CMS installations running vulnerable versions.

💻 Affected Systems

Products:

Typesetter CMS

Versions: Versions up to and including 5.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with editing privileges; affects the Editing component specifically.

📦 What is this software?

Typesetter by Typesettercms

View all CVEs affecting Typesetter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could steal admin session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers with editing privileges could target other administrators to escalate privileges or maintain persistence in the CMS.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be neutralized with no impact.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with editing privileges; reflected XSS via POST request to include/tool/Editing.php.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 5.1 (check GitHub for latest)

Vendor Advisory: https://github.com/Typesetter/Typesetter/issues/706

Restart Required: No

Instructions:

1. Update Typesetter CMS to latest version from GitHub. 2. Replace include/tool/Editing.php with patched version. 3. Clear any cached files.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject javascript: protocol in images parameter

Modify include/tool/Editing.php to sanitize $_POST['images'] array elements

🧯 If You Can't Patch

Restrict editing privileges to trusted users only
Implement Content Security Policy (CSP) with script-src directives to block inline JavaScript

🔍 How to Verify

Check if Vulnerable:

Review include/tool/Editing.php for improper href attribute output encoding of images parameter

Check Version:

Check version in admin panel or read CHANGELOG.txt

Verify Fix Applied:

Check that images parameter values are properly encoded in href attributes

📡 Detection & Monitoring

Log Indicators:

POST requests to include/tool/Editing.php with javascript: in parameters

Network Indicators:

HTTP POST to Editing.php with suspicious images[] parameter values

SIEM Query:

web_uri="/include/tool/Editing.php" AND http_method=POST AND (param CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-71164

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.4th percentile)

Published: January 14, 2026

Last Updated: January 21, 2026

🔗 References

https://github.com/Typesetter/Typesetter Product
https://github.com/Typesetter/Typesetter/issues/706 Exploit,Issue Tracking
https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-editing-php Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-71164, you might also want to check these: