Path Traversal Vulnerability in Textpattern XML-RPC Handler
CVE-2026-5344

5.3MEDIUM

Key Information:

Vendor

Textpattern

Status
Textpattern
Vendor
CVE Published:
2 April 2026

What is CVE-2026-5344?

A security vulnerability exists in Textpattern versions up to 4.9.1, specifically within the XML-RPC Handler's mt_uploadImage function. The flaw allows unauthorized file path manipulation through the argument file.name, which can lead to path traversal attacks. This vulnerability permits remote exploitation, and although the issue has been publicly disclosed, the vendor has acknowledged it and is expected to release a patch in the near future.

Affected Version(s)

Textpattern 4.9.0

Textpattern 4.9.1

References

https://vuldb.com/vuln/354696
vdb-entrytechnical-description
https://vuldb.com/vuln/354696/cti
signaturepermissions-required
https://vuldb.com/submit/769166
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

zsmaaa (VulDB User)
VulDB CNA Team
.