VYPR
Medium severity6.1NVD Advisory· Published Mar 20, 2026· Updated Apr 16, 2026

CVE-2026-32986

CVE-2026-32986

Description

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*
    • (no CPE)range: = 4.9.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.