Textpattern
by Textpattern
Source repositories
CVEs (34)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-7474 | Cri | 0.67 | 9.8 | 0.07 | Mar 14, 2018 | An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php. | ||
| CVE-2021-47976 | Hig | 0.57 | 8.8 | 0.00 | May 16, 2026 | TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload… | ||
| CVE-2021-47943 | Hig | 0.57 | 8.8 | 0.01 | May 10, 2026 | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content… | ||
| CVE-2021-47888 | Hig | 0.57 | 8.8 | 0.01 | Jan 23, 2026 | Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the… | ||
| CVE-2018-1000090 | Hig | 0.49 | 7.5 | 0.01 | Mar 13, 2018 | textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file. | ||
| CVE-2026-30452 | Med | 0.42 | 6.5 | 0.00 | Apr 21, 2026 | Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the… | ||
| CVE-2026-5344 | Med | 0.41 | 6.3 | 0.00 | Apr 2, 2026 | A security vulnerability has been detected in Textpattern up to 4.9.1. Affected by this vulnerability is the function mt_uploadImage of the file rpc/TXP_RPCServer.php of the component XML-RPC Handler. The manipulation of the argument file.name leads to path traversal. Remote… | ||
| CVE-2026-32986 | Med | 0.40 | 6.1 | 0.00 | Mar 20, 2026 | Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters… | ||
| CVE-2011-5019 | 0.03 | — | 0.02 | Jan 5, 2012 | Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter. | |||
| CVE-2010-3205 | 0.03 | — | 0.03 | Sep 3, 2010 | PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. | |||
| CVE-2006-5615 | 0.03 | — | 0.02 | Oct 31, 2006 | PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the txpcfg[txpath] parameter. | |||
| CVE-2023-26852 | 0.01 | — | 0.02 | Apr 12, 2023 | An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file. | |||
| CVE-2023-53911 | 0.00 | — | 0.00 | Dec 17, 2025 | Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other… | |||
| CVE-2023-50038 | 0.00 | — | 0.01 | Dec 28, 2023 | There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions. | |||
| CVE-2023-36220 | 0.00 | — | 0.03 | Aug 7, 2023 | Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a remote authenticated attacker to execute arbitrary code and gain access to sensitive information via the plugin Upload function. | |||
| CVE-2023-24269 | 0.00 | — | 0.01 | Apr 28, 2023 | An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file. | |||
| CVE-2021-40642 | 0.00 | — | 0.00 | Jun 29, 2022 | Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the… | |||
| CVE-2021-40658 | 0.00 | — | 0.01 | Jun 14, 2022 | Textpattern 4.8.7 is affected by a HTML injection vulnerability through “Content>Write>Body”. | |||
| CVE-2021-44082 | 0.00 | — | 0.03 | Mar 29, 2022 | textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file… | |||
| CVE-2021-28002 | 0.00 | — | 0.01 | Aug 19, 2021 | A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the… |
- risk 0.67cvss 9.8epss 0.07
An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
- risk 0.57cvss 8.8epss 0.00
TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload…
- risk 0.57cvss 8.8epss 0.01
TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content…
- risk 0.57cvss 8.8epss 0.01
Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the…
- risk 0.49cvss 7.5epss 0.01
textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.
- risk 0.42cvss 6.5epss 0.00
Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the…
- risk 0.41cvss 6.3epss 0.00
A security vulnerability has been detected in Textpattern up to 4.9.1. Affected by this vulnerability is the function mt_uploadImage of the file rpc/TXP_RPCServer.php of the component XML-RPC Handler. The manipulation of the argument file.name leads to path traversal. Remote…
- risk 0.40cvss 6.1epss 0.00
Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters…
- CVE-2011-5019Jan 5, 2012risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter.
- CVE-2010-3205Sep 3, 2010risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.
- CVE-2006-5615Oct 31, 2006risk 0.03cvss —epss 0.02
PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the txpcfg[txpath] parameter.
- CVE-2023-26852Apr 12, 2023risk 0.01cvss —epss 0.02
An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.
- CVE-2023-53911Dec 17, 2025risk 0.00cvss —epss 0.00
Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other…
- CVE-2023-50038Dec 28, 2023risk 0.00cvss —epss 0.01
There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.
- CVE-2023-36220Aug 7, 2023risk 0.00cvss —epss 0.03
Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a remote authenticated attacker to execute arbitrary code and gain access to sensitive information via the plugin Upload function.
- CVE-2023-24269Apr 28, 2023risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file.
- CVE-2021-40642Jun 29, 2022risk 0.00cvss —epss 0.00
Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the…
- CVE-2021-40658Jun 14, 2022risk 0.00cvss —epss 0.01
Textpattern 4.8.7 is affected by a HTML injection vulnerability through “Content>Write>Body”.
- CVE-2021-44082Mar 29, 2022risk 0.00cvss —epss 0.03
textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file…
- CVE-2021-28002Aug 19, 2021risk 0.00cvss —epss 0.01
A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the…
Page 1 of 2