{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32986", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-17T11:31:56.956Z", "datePublished": "2026-03-20T15:42:04.053Z", "dateUpdated": "2026-03-20T19:58:15.096Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-20T17:37:38.635Z"}, "title": "Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection", "datePublic": "2026-02-27T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "type": "CWE"}]}], "affected": [{"vendor": "Textpattern", "product": "Textpattern CMS", "versions": [{"status": "affected", "version": "4.9.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.<br></p>"}]}], "references": [{"url": "https://packetstorm.news/files/id/216241/", "name": "Packet Storm listing (Textpattern 4.9.0 Second-Order XSS via Atom Feed Injection)", "tags": ["exploit"]}, {"url": "https://textpattern.com/", "name": "Vendor site", "tags": ["product"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "credits": [{"lang": "en", "value": "indoushka", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "manual"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T19:58:04.268566Z", "id": "CVE-2026-32986", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:58:15.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32986", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T19:58:04.268566Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T19:58:10.370Z"}}], "cna": {"title": "Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "indoushka"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Textpattern", "product": "Textpattern CMS", "versions": [{"status": "affected", "version": "4.9.0"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-27T00:00:00.000Z", "references": [{"url": "https://packetstorm.news/files/id/216241/", "name": "Packet Storm listing (Textpattern 4.9.0 Second-Order XSS via Atom Feed Injection)", "tags": ["exploit"]}, {"url": "https://textpattern.com/", "name": "Vendor site", "tags": ["product"]}], "x_generator": {"engine": "manual"}, "descriptions": [{"lang": "en", "value": "Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.", "supportingMedia": [{"type": "text/html", "value": "<p>Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-20T17:37:38.635Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32986", "state": "PUBLISHED", "dateUpdated": "2026-03-20T19:58:15.096Z", "dateReserved": "2026-03-17T11:31:56.956Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-20T15:42:04.053Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*", "matchCriteriaId": "E401C6DA-6708-4F7E-B6F6-54718AF3A18E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods."}, {"lang": "es", "value": "La versi\u00f3n 4.9.0 de Textpattern CMS contiene una vulnerabilidad de cross-site scripting de segundo orden que permite a los atacantes inyectar scripts maliciosos al explotar una sanitizaci\u00f3n inadecuada de la entrada proporcionada por el usuario en elementos XML de feeds Atom. Los atacantes pueden incrustar cargas \u00fatiles sin escapar en par\u00e1metros como category que se reflejan en campos Atom como y , que se ejecutan como JavaScript cuando los lectores de feeds o los agregadores de CMS consumen el feed e insertan contenido en el DOM utilizando m\u00e9todos inseguros."}], "id": "CVE-2026-32986", "lastModified": "2026-04-16T14:44:02.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-20T16:16:17.573", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://packetstorm.news/files/id/216241/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://textpattern.com/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.9.0"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "Textpattern CMS", "source": "cna", "vendor": "Textpattern"}, "product": "textpattern", "vendor": "textpattern"}], "analysis": {"en": {"generated_at": "2026-03-20T19:35:19.585679+00:00", "value": {"mitigation_remediation": ["Apply any available vendor patch for Textpattern CMS 4.9.0 or later.", "If an update is not immediately available, block external feeds that are untrusted or restrict the use of Atom feeds to internal networks only.", "Consider sanitizing custom feed content or disabling the Category parameter in Atom feed generation until a fix is applied.", "Monitor for any Client\u2011side XSS reports or automated scanners that detect the presence of injected script in the HTML of Atom feeds."], "summary": {"action": "Patch", "impact": "Second\u2011Order Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Textpattern CMS, specifically the 4.9.0 release. No additional affected versions were listed in the available data. Users running this exact version should verify whether the Atom feed generation or rendering components include the vulnerable logic and consider upgrading to a later release when available.", "description_and_impact": "Textpattern CMS version 4.9.0 contains a second\u2011order cross\u2011site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user\u2011supplied input in Atom feed XML elements. Unescaped payloads can be embedded in parameters such as category, which are later reflected into Atom fields that are rendered by feed readers or CMS aggregators. When clients process these feeds and insert the content into the DOM using unsafe methods, the malicious JavaScript is executed, potentially compromising user accounts, stealing credentials, or delivering further malware. The weakness is a classic instance of unsanitized input with persistent context leading to client\u2011side script execution.", "risk_and_exploitability": "The CVSS score of 5.1 places this issue in a moderate risk range, indicating that while exploitation does not grant arbitrary code execution on the server, it can cause significant client\u2011side damage. EPSS information is not available, so the exact likelihood of exploitation in the wild cannot be quantified. The vulnerability is not present in the CISA KEV catalog, suggesting that there are no reports of active exploitation as of now. However, because the attack can be performed remotely via crafted feed content, an attacker who can influence the feed data (for example, by creating a new category or posting through the CMS interface) could potentially exploit the flaw. The likely attack vector is remote client\u2011side; the prerequisite is that an external actor can inject content that will later be consumed by a third\u2011party feed reader or aggregator."}}}}, "created": "2026-03-23T09:53:26.286141+00:00", "updated": "2026-03-25T14:29:16.833679+00:00", "vendors": ["textpattern", "textpattern$PRODUCT$textpattern"]}