Vendor
Textpattern
Products
1
CVEs
14
Across products
24
Status
Private
Products
1- 24 CVEs
Recent CVEs
14| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-47976 | Hig | 0.57 | 8.8 | — | May 16, 2026 | TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution. | |
| CVE-2021-47943 | Hig | 0.57 | 8.8 | 0.00 | May 10, 2026 | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function. | |
| CVE-2026-30452 | Med | 0.42 | 6.5 | 0.00 | Apr 21, 2026 | Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textpattern/include/txp_article.php, an attacker can bypass authorization checks and overwrite content belonging to other users. | |
| CVE-2026-32986 | Med | 0.40 | 6.1 | 0.00 | Mar 20, 2026 | Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods. | |
| CVE-2011-5019 | 0.03 | — | 0.03 | Jan 5, 2012 | Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter. | ||
| CVE-2010-3205 | 0.03 | — | 0.01 | Sep 3, 2010 | PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. | ||
| CVE-2006-5615 | 0.03 | — | 0.02 | Oct 31, 2006 | PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the txpcfg[txpath] parameter. | ||
| CVE-2023-53911 | 0.00 | — | 0.00 | Dec 17, 2025 | Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other users. | ||
| CVE-2014-4737 | 0.00 | — | 0.00 | Oct 10, 2014 | Cross-site scripting (XSS) vulnerability in Textpattern CMS before 4.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to setup/index.php. | ||
| CVE-2011-3807 | 0.00 | — | 0.00 | Sep 24, 2011 | Textpattern 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/txplib_db.php and certain other files. | ||
| CVE-2008-5757 | 0.00 | — | 0.00 | Dec 30, 2008 | Cross-site scripting (XSS) vulnerability in textarea/index.php in Textpattern (aka Txp CMS) 4.0.6 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Body parameter in an article action. NOTE: some of these details are obtained from third party information. | ||
| CVE-2008-5670 | 0.00 | — | 0.01 | Dec 19, 2008 | Textpattern (aka Txp CMS) 4.0.5 does not ask for the old password during a password reset, which makes it easier for remote attackers to change a password after hijacking a session. | ||
| CVE-2008-5669 | 0.00 | — | 0.01 | Dec 19, 2008 | index.php in the comments preview section in Textpattern (aka Txp CMS) 4.0.5 allows remote attackers to cause a denial of service via a long message parameter. | ||
| CVE-2008-5668 | 0.00 | — | 0.00 | Dec 19, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Textpattern (aka Txp CMS) 4.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to setup/index.php or (2) the name parameter to index.php in the comments preview section. |