Typesetter
by Typesetter
Source repositories
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-6889 | Hig | 0.61 | 8.8 | 0.07 | Feb 12, 2018 | An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction. | ||
| CVE-2018-6888 | Hig | 0.55 | 8.0 | 0.02 | Feb 12, 2018 | An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack… | ||
| CVE-2020-25790 | 0.06 | — | 0.16 | Sep 19, 2020 | Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security… | |||
| CVE-2025-71166 | 0.00 | — | 0.00 | Jan 14, 2026 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in… | |||
| CVE-2025-71165 | 0.00 | — | 0.00 | Jan 14, 2026 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in… | |||
| CVE-2025-71164 | 0.00 | — | 0.00 | Jan 14, 2026 | Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output… | |||
| CVE-2022-25523 | 0.00 | — | 0.01 | Mar 25, 2022 | TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request. | |||
| CVE-2020-19511 | 0.00 | — | 0.01 | Jun 21, 2021 | Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes, | |||
| CVE-2019-20077 | 0.00 | — | 0.00 | Jan 5, 2020 | The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability. | |||
| CVE-2018-16625 | 0.00 | — | 0.01 | May 13, 2019 | index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element. | |||
| CVE-2018-16626 | 0.00 | — | 0.01 | May 13, 2019 | index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name. | |||
| CVE-2018-16639 | 0.00 | — | 0.01 | May 13, 2019 | Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation. | |||
| CVE-2018-20837 | 0.00 | — | 0.01 | May 9, 2019 | include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS. |
- risk 0.61cvss 8.8epss 0.07
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction.
- risk 0.55cvss 8.0epss 0.02
An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request forgery: using a forged HTTP request, a malicious user can lead a user to unknowingly create / delete or modify a user account due to the lack…
- CVE-2020-25790Sep 19, 2020risk 0.06cvss —epss 0.16
Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our security…
- CVE-2025-71166Jan 14, 2026risk 0.00cvss —epss 0.00
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in…
- CVE-2025-71165Jan 14, 2026risk 0.00cvss —epss 0.00
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status functionality. The path parameter is reflected into the HTML response without proper output encoding in…
- CVE-2025-71164Jan 14, 2026risk 0.00cvss —epss 0.00
Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The images parameter (submitted as images[] in a POST request) is reflected into an HTML href attribute without proper context-aware output…
- CVE-2022-25523Mar 25, 2022risk 0.00cvss —epss 0.01
TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.
- CVE-2020-19511Jun 21, 2021risk 0.00cvss —epss 0.01
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
- CVE-2019-20077Jan 5, 2020risk 0.00cvss —epss 0.00
The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by any CSRF tokens. An attacker can logout the user using this vulnerability.
- CVE-2018-16625May 13, 2019risk 0.00cvss —epss 0.01
index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.
- CVE-2018-16626May 13, 2019risk 0.00cvss —epss 0.01
index.php/Admin/Classes in Typesetter 5.1 allows XSS via the description of a new class name.
- CVE-2018-16639May 13, 2019risk 0.00cvss —epss 0.01
Typesetter 5.1 allows XSS via the index.php/Admin LABEL parameter during new page creation.
- CVE-2018-20837May 9, 2019risk 0.00cvss —epss 0.01
include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.