CVE-2026-24127 Overview
CVE-2026-24127 is a reflected Cross-Site Scripting (XSS) vulnerability in Typemill, a flat-file, Markdown-based content management system designed for informational documentation websites. The vulnerability exists in the login error view template login.twig where the username value is echoed back to the user without proper contextual encoding when authentication fails. This allows an attacker to craft malicious URLs that execute arbitrary JavaScript in the context of the login page when a victim clicks the link.
Critical Impact
Attackers can steal session cookies, capture credentials, perform phishing attacks, or redirect users to malicious sites by exploiting this reflected XSS vulnerability in the authentication flow.
Affected Products
- Typemill CMS versions 2.19.1 and below
- Typemill login template (login.twig)
- Systems using vulnerable OldInputMiddleware.php
Discovery Timeline
- 2026-01-23 - CVE CVE-2026-24127 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-24127
Vulnerability Analysis
This reflected XSS vulnerability (CWE-79) occurs within the authentication workflow of Typemill CMS. When a user submits invalid login credentials, the application reflects the submitted username parameter back to the browser within the error message displayed on the login page. The vulnerable login.twig template fails to apply proper output encoding to the username value before rendering it in the HTML context.
The lack of contextual encoding allows an attacker to inject malicious JavaScript code within the username parameter. When a victim visits a specially crafted URL containing the malicious payload, the script executes within the victim's browser session on the Typemill login page. This can lead to credential theft through fake login forms, session token exfiltration, or redirection to attacker-controlled phishing sites.
Root Cause
The root cause is improper input validation and missing output encoding in the login.twig template and the OldInputMiddleware.php middleware. The application stores user-submitted form data in the session for re-display purposes without sanitization. The vulnerable middleware directly assigned parsed body content to the session without recursive sanitization of potentially dangerous input values.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious URL containing JavaScript payload in the username parameter and distributes it via phishing emails, social media, or other channels. When a victim clicks the link and the login fails, the malicious script executes in their browser context. The attack does not require authentication, making it accessible to any remote attacker who can convince a victim to click a crafted link.
// Security patch in system/typemill/Middleware/OldInputMiddleware.php
// Source: https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c
{
unset($_SESSION['old']);
- if(!empty($request->getParsedBody()))
+ $oldinput = $request->getParsedBody();
+ if (!empty($oldinput) && is_array($oldinput))
{
- $oldinput = $request->getParsedBody();
-
- if(is_array($oldinput))
- {
- foreach($oldinput as $key => $value)
- {
- if (stripos($key, 'pass') !== false)
- {
- unset($oldinput[$key]);
- }
- }
- }
+ $oldinput = $this->sanitizeRecursive($oldinput);
$_SESSION['old'] = $oldinput;
}
}
return $response;
}
+
+ private function sanitizeRecursive(array $oldinput): array
+ {
The patch introduces a sanitizeRecursive() method that properly sanitizes all input values before storing them in the session, preventing malicious scripts from being reflected back to users.
Detection Methods for CVE-2026-24127
Indicators of Compromise
- Web server logs containing login requests with suspicious JavaScript patterns in the username parameter (e.g., <script>, onerror=, javascript:)
- Unusual URL patterns in referrer logs pointing to the /tm/login endpoint with encoded payloads
- Security log entries showing repeated "login: invalid data" attempts with anomalous username values
- Client-side error reports indicating script execution errors from unexpected sources
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS patterns in authentication endpoints
- Configure Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Deploy behavioral analysis to identify suspicious login page access patterns with encoded URL parameters
- Enable browser-based XSS auditing and monitor for blocked script execution events
Monitoring Recommendations
- Monitor web server access logs for requests to /tm/login containing URL-encoded special characters or JavaScript keywords
- Set up alerts for CSP violation reports indicating attempted script injection
- Track failed authentication attempts that contain non-alphanumeric characters in username fields
- Review security logs at data/security/securitylog.txt for unusual patterns in login failure entries
How to Mitigate CVE-2026-24127
Immediate Actions Required
- Upgrade Typemill CMS to version 2.19.2 or later immediately
- Implement Content Security Policy headers with strict script-src directives to mitigate XSS impact
- Deploy WAF rules to filter XSS payloads targeting the login endpoint
- Review access logs for evidence of prior exploitation attempts
Patch Information
The vulnerability has been fixed in Typemill version 2.19.2. The patch introduces a sanitizeRecursive() method in OldInputMiddleware.php that properly escapes and sanitizes all user input before storing it in session variables for re-display. The fix ensures proper contextual encoding is applied to prevent script injection.
For detailed patch information, see the GitHub Security Advisory GHSA-65x4-pjhj-r8wr and the security patch commit. The patched version is available at the GitHub Release v2.19.2.
Workarounds
- If immediate patching is not possible, implement a reverse proxy or WAF rule to sanitize the username parameter before it reaches the application
- Configure strict Content Security Policy headers to prevent inline script execution: Content-Security-Policy: script-src 'self'; object-src 'none'
- Restrict access to the login page to trusted IP ranges if the CMS is used internally
- Monitor the security log file for suspicious login attempts and block offending IP addresses
# Example nginx configuration for CSP headers
location /tm/login {
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
