Vulnerability Description
Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Typemill | Typemill | < 2.19.2 |
Related Weaknesses (CWE)
References
- https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4Patch
- https://github.com/typemill/typemill/releases/tag/v2.19.2ProductRelease Notes
- https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wrThird Party AdvisoryExploit
FAQ
What is CVE-2026-24127?
CVE-2026-24127 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2...
How severe is CVE-2026-24127?
CVE-2026-24127 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24127?
Check the references section above for vendor advisories and patch information. Affected products include: Typemill Typemill.