← back
CVE-2026-24127

Typemill has Reflected XSS via login error view template

CVSS 5.4 MEDIUMEPSS 0.3%CWE-116CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.4EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected products
typemill · typemill

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88chttps://github.com/typemill/typemill/releases/tag/v2.19.2https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr