Security Advisory

CVE-2025-71166

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-01-14 18:28:40
Last updated 2026-05-14 02:08:57
Assigner VulnCheck
State PUBLISHED

Description

Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative interface within the Tools Status move message handling. The path parameter is reflected into the HTML output without proper output encoding in include/admin/Tools/Status.php. An authenticated attacker can supply crafted input containing HTML or JavaScript, resulting in arbitrary script execution in the context of an authenticated users browser session.