VYPR

Textpattern

by Textpattern

Source repositories

CVEs (34)

  • CVE-2018-7474CriMar 14, 2018
    risk 0.67cvss 9.8epss 0.07

    An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.

  • CVE-2021-47976HigMay 16, 2026
    risk 0.57cvss 8.8epss 0.00

    TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload…

  • CVE-2021-47943HigMay 10, 2026
    risk 0.57cvss 8.8epss 0.01

    TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content…

  • CVE-2021-47888HigJan 23, 2026
    risk 0.57cvss 8.8epss 0.01

    Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the…

  • CVE-2018-1000090HigMar 13, 2018
    risk 0.49cvss 7.5epss 0.01

    textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.

  • CVE-2026-30452MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the…

  • CVE-2026-5344MedApr 2, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in Textpattern up to 4.9.1. Affected by this vulnerability is the function mt_uploadImage of the file rpc/TXP_RPCServer.php of the component XML-RPC Handler. The manipulation of the argument file.name leads to path traversal. Remote…

  • CVE-2026-32986MedMar 20, 2026
    risk 0.40cvss 6.1epss 0.00

    Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters…

  • CVE-2011-5019Jan 5, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter.

  • CVE-2010-3205Sep 3, 2010
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.

  • CVE-2006-5615Oct 31, 2006
    risk 0.03cvss epss 0.02

    PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the txpcfg[txpath] parameter.

  • CVE-2023-26852Apr 12, 2023
    risk 0.01cvss epss 0.02

    An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.

  • CVE-2023-53911Dec 17, 2025
    risk 0.00cvss epss 0.00

    Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other…

  • CVE-2023-50038Dec 28, 2023
    risk 0.00cvss epss 0.01

    There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.

  • CVE-2023-36220Aug 7, 2023
    risk 0.00cvss epss 0.03

    Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a remote authenticated attacker to execute arbitrary code and gain access to sensitive information via the plugin Upload function.

  • CVE-2023-24269Apr 28, 2023
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file.

  • CVE-2021-40642Jun 29, 2022
    risk 0.00cvss epss 0.00

    Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the…

  • CVE-2021-40658Jun 14, 2022
    risk 0.00cvss epss 0.01

    Textpattern 4.8.7 is affected by a HTML injection vulnerability through “Content>Write>Body”.

  • CVE-2021-44082Mar 29, 2022
    risk 0.00cvss epss 0.03

    textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file…

  • CVE-2021-28002Aug 19, 2021
    risk 0.00cvss epss 0.01

    A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the…

Page 1 of 2