Medium severity6.1NVD Advisory· Published Mar 20, 2026· Updated Apr 16, 2026
CVE-2026-32986
CVE-2026-32986
Description
Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*
- (no CPE)range: = 4.9.0
Patches
Vulnerability mechanics
References
2- packetstorm.news/files/id/216241/nvdExploitIssue Tracking
- textpattern.comnvdProduct
News mentions
0No linked articles in our index yet.