Home > Vulnerability Database > CVE-2025-71165

Mend.io Vulnerability Database

CVE-2025-71165

Good to know:

Date: January 14, 2026

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated user's browser session.

Severity Score

5.4

Related Resources (5)

Url: https://www.vulncheck.com/advisories/typesetter-cms-reflected-xss-via-status-php

Url: https://github.com/Typesetter/Typesetter/issues/709

Url: https://github.com/Typesetter/Typesetter

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-71165

Url: https://www.mend.io/vulnerability-database/CVE-2025-71165

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-71165

Good to know:

Date: January 14, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?