CVE-2025-71164

Name of the Vulnerable Software and Affected Versions Typesetter CMS versions up to and including 5.1

Description Typesetter CMS versions up to and including 5.1 have a reflected cross-site scripting (XSS) issue in the Editing component. The images parameter, submitted as images[] in a POST request, is reflected into an HTML href attribute without proper output encoding in include/tool/Editing.php. An authenticated attacker with editing privileges can use a JavaScript pseudo-protocol to execute arbitrary JavaScript in the victim’s browser session.

Recommendations Versions prior to 5.1 should be used.