Home > Vulnerability Database > CVE-2026-24127

Mend.io Vulnerability Database

CVE-2026-24127

Good to know:

Date: January 23, 2026

Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template "login.twig" of versions 2.19.1 and below. The "username" value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.

Severity Score

5.4

Related Resources (5)

Url: https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr

Url: https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c

Url: https://github.com/typemill/typemill/releases/tag/v2.19.2

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24127

Url: https://www.mend.io/vulnerability-database/CVE-2026-24127

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Encoding or Escaping of Output

CWE-116

Top Fix

Upgrade Version

Upgrade to version https://github.com/typemill/typemill.git - v2.19.2

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24127

Good to know:

Date: January 23, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?