CVE-2026-24127
📋 TL;DR
A reflected Cross-Site Scripting (XSS) vulnerability exists in Typemill CMS versions 2.19.1 and below, allowing attackers to inject malicious scripts via the login page when authentication fails. This affects all Typemill installations running vulnerable versions, potentially compromising user sessions and browser security. The vulnerability is exploitable through the login error view template where username input isn't properly encoded.
💻 Affected Systems
- Typemill CMS
📦 What is this software?
Typemill by Typemill
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect users to malicious sites, or install malware through the compromised login page.
Likely Case
Session hijacking of users who visit a maliciously crafted login URL, potentially leading to unauthorized access to the CMS admin interface.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute scripts, limiting impact to failed login attempts.
🎯 Exploit Status
Exploitation requires tricking users into visiting a specially crafted login URL. No authentication is needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.2
Vendor Advisory: https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr
Restart Required: No
Instructions:
1. Backup your Typemill installation. 2. Download version 2.19.2 from GitHub releases. 3. Replace the existing installation files with the new version. 4. Clear any cached templates if using template caching.
🔧 Temporary Workarounds
Manual template patching
allManually apply the fix to the vulnerable login.twig template by adding proper output encoding for the username variable.
Edit the login.twig template file and ensure username output uses proper Twig escaping: {{ username|e }}
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict access to the login page to trusted IP addresses only using network controls.
🔍 How to Verify
Check if Vulnerable:
Check your Typemill version. If it's 2.19.1 or below, you are vulnerable. Examine the login.twig template for proper output encoding of the username variable.Check Version:
Check the version.txt file in your Typemill installation directory or view the admin panel version information.Verify Fix Applied:
After updating to 2.19.2, verify that the login.twig template properly encodes the username output using {{ username|e }} or equivalent escaping.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with unusual username parameters containing script tags or JavaScript code
- HTTP requests to login page with suspicious query parameters
Network Indicators:
- HTTP requests containing script tags or JavaScript in username parameter to login endpoint
SIEM Query:
source="web_logs" AND uri_path="/login" AND (username="*<script>*" OR username="*javascript:*")