trendschau

2 exploits Active since Jan 2026
CVE-2026-49133 WRITEUP MEDIUM WRITEUP
Typemill < 2.24.0 Path Traversal via ControllerApiImage::getPagemedia()
Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile() with an empty folder argument. Attackers can bypass traversal-prevention controls in Storage::getFolderPath() to access sensitive files.
CVSS 6.5
CVE-2026-24127 WRITEUP MEDIUM WRITEUP
typemill < 2.19.2 - Reflected Cross-Site Scripting via Login Error Template
Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.
CVSS 5.4