Typesettercms Typesetter — known CVE vulnerabilities
Every CVE whose affected-product data names Typesettercms Typesetter, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2018-6889 — CVSS 8.8 (high): An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can…
CVE-2022-25523 — CVSS 8.8 (high): TypesetterCMS v5.1 was discovered to contain a Cross-Site Request Forgery (CSRF) which is exploited via a crafted POST request.
CVE-2018-6888 — CVSS 8.0 (high): An issue was discovered in Typesetter 5.1. The User Permissions page (aka Admin/Users) suffers from critical flaw of Cross Site Request…
CVE-2020-25790 — CVSS 7.2 (high): Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the…
CVE-2020-19511 — CVSS 6.1 (medium): Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
CVE-2025-71166 — CVSS 5.4 (medium): Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative…
CVE-2025-71164 — CVSS 5.4 (medium): Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the Editing component. The…
CVE-2025-71165 — CVSS 5.4 (medium): Typesetter CMS versions up to and including 5.1 contain a reflected cross-site scripting (XSS) vulnerability in the administrative…
CVE-2020-35126 — CVSS 4.8 (medium): Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the…
CVE-2018-16625 — CVSS 4.8 (medium): index.php/Admin/Uploaded in Typesetter 5.1 allows XSS via an SVG file with JavaScript in a SCRIPT element.
CVE-2018-20837 — CVSS 4.8 (medium): include/admin/Menu/Ajax.php in Typesetter 5.1 has index.php/Admin/Menu/Ajax?cmd=AddHidden title XSS.
CVE-2019-20077 — CVSS 4.3 (medium): The Typesetter CMS 5.1 logout functionality is affected by a CSRF vulnerability. The logout function of the admin panel is not protected by…