Second-Order XSS Vulnerability in Textpattern CMS 4.9.0
CVE-2026-32986

5.1MEDIUM

Key Information:

Vendor

Textpattern

Status
Textpattern Cms
Vendor
CVE Published:
20 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-32986?

A Second-Order Cross-Site Scripting (XSS) vulnerability is present in Textpattern CMS version 4.9.0 due to inadequate sanitization and contextual encoding of user-supplied input within Atom feed XML elements. It permits user-controlled parameters, like the category, to be reflected in Atom fields—specifically in and —without appropriate XML escaping. Although the payload may not directly execute in modern browsers when rendered in raw XML context, it poses a risk when processed by HTML-based feed readers, admin dashboards, or CMS aggregators that improperly handle feed content insertion into the DOM using unsafe methods such as innerHTML, leading to potential JavaScript execution in a trusted environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Textpattern CMS 4.9.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-32986 - Proof of Concept

References

https://packetstorm.news/files/id/216241/
exploit
https://textpattern.com/
product

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • 🟡

    Public PoC available

  • đź‘ľ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

indoushka
JSON
.