CVE-2020-35126

MEDIUM

Typesetter CMS < 5.1 - Authenticated Stored Cross-Site Scripting via Site Title Configuration

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35126. PoCs published by Alperen Ergel.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Typesetter CMS 5.1 by injecting a malicious script into the 'Site Title' field via an authenticated administrator session. The payload is executed when the site is visited.

Description

Typesetter CMS 5.x through 5.1 allows admins to conduct Site Title persistent XSS attacks via an Admin/Configuration URI. NOTE: the significance of this report is disputed because "admins are considered trustworthy.

Exploits (1)

exploitdb WORKING POC

by Alperen Ergel · textwebappsphp

https://www.exploit-db.com/exploits/48852

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in Typesetter CMS 5.1 by injecting a malicious script into the 'Site Title' field via an authenticated administrator session. The payload is executed when the site is visited.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Typesetter CMS 5.1

Auth required

Prerequisites: Authenticated administrator access to the Typesetter CMS admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48852

Scores

CVSS v3 4.8

EPSS 0.0069

EPSS Percentile 48.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

typesettercms/typesetter < 5.1

Published Dec 11, 2020

Tracked Since Feb 18, 2026