Vendor CVEs
Textpattern
All CVEs
34 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-7474 | Cri | 0.67 | 9.8 | 0.07 | Mar 14, 2018 | An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php. | ||
| CVE-2021-47976 | Hig | 0.57 | 8.8 | 0.00 | May 16, 2026 | TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload… | ||
| CVE-2021-47943 | Hig | 0.57 | 8.8 | 0.01 | May 10, 2026 | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content… | ||
| CVE-2021-47888 | Hig | 0.57 | 8.8 | 0.01 | Jan 23, 2026 | Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the… | ||
| CVE-2018-1000090 | Hig | 0.49 | 7.5 | 0.01 | Mar 13, 2018 | textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file. | ||
| CVE-2026-30452 | Med | 0.42 | 6.5 | 0.00 | Apr 21, 2026 | Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the… | ||
| CVE-2026-5344 | Med | 0.41 | 6.3 | 0.00 | Apr 2, 2026 | A security vulnerability has been detected in Textpattern up to 4.9.1. Affected by this vulnerability is the function mt_uploadImage of the file rpc/TXP_RPCServer.php of the component XML-RPC Handler. The manipulation of the argument file.name leads to path traversal. Remote… | ||
| CVE-2026-32986 | Med | 0.40 | 6.1 | 0.00 | Mar 20, 2026 | Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters… | ||
| CVE-2011-5019 | 0.03 | — | 0.02 | Jan 5, 2012 | Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter. | |||
| CVE-2010-3205 | 0.03 | — | 0.03 | Sep 3, 2010 | PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. | |||
| CVE-2006-5615 | 0.03 | — | 0.02 | Oct 31, 2006 | PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the txpcfg[txpath] parameter. | |||
| CVE-2023-26852 | 0.01 | — | 0.02 | Apr 12, 2023 | An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file. | |||
| CVE-2023-53911 | 0.00 | — | 0.00 | Dec 17, 2025 | Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other… | |||
| CVE-2023-50038 | 0.00 | — | 0.01 | Dec 28, 2023 | There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions. | |||
| CVE-2023-36220 | 0.00 | — | 0.03 | Aug 7, 2023 | Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a remote authenticated attacker to execute arbitrary code and gain access to sensitive information via the plugin Upload function. | |||
| CVE-2023-24269 | 0.00 | — | 0.01 | Apr 28, 2023 | An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file. | |||
| CVE-2021-40642 | 0.00 | — | 0.00 | Jun 29, 2022 | Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the… | |||
| CVE-2021-40658 | 0.00 | — | 0.01 | Jun 14, 2022 | Textpattern 4.8.7 is affected by a HTML injection vulnerability through “Content>Write>Body”. | |||
| CVE-2021-44082 | 0.00 | — | 0.03 | Mar 29, 2022 | textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file… | |||
| CVE-2021-28002 | 0.00 | — | 0.01 | Aug 19, 2021 | A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the… | |||
| CVE-2021-28001 | 0.00 | — | 0.01 | Aug 19, 2021 | A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting… | |||
| CVE-2020-23239 | 0.00 | — | 0.01 | Jul 26, 2021 | Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature. | |||
| CVE-2020-19510 | 0.00 | — | 0.01 | Jun 21, 2021 | Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php. | |||
| CVE-2021-30209 | 0.00 | — | 0.01 | Apr 15, 2021 | Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions. | |||
| CVE-2020-35854 | 0.00 | — | 0.01 | Jan 25, 2021 | Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter. | |||
| CVE-2020-29458 | 0.00 | — | 0.01 | Dec 2, 2020 | Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem. | |||
| CVE-2015-8033 | 0.00 | — | 0.01 | Aug 14, 2020 | In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account. | |||
| CVE-2015-8032 | 0.00 | — | 0.01 | Aug 14, 2020 | In Textpattern 4.5.7, an unprivileged author can change an article's markup setting. | |||
| CVE-2014-4737 | 0.00 | — | 0.02 | Oct 10, 2014 | Cross-site scripting (XSS) vulnerability in Textpattern CMS before 4.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to setup/index.php. | |||
| CVE-2011-3807 | 0.00 | — | 0.01 | Sep 24, 2011 | Textpattern 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/txplib_db.php and certain other files. | |||
| CVE-2008-5757 | 0.00 | — | 0.01 | Dec 30, 2008 | Cross-site scripting (XSS) vulnerability in textarea/index.php in Textpattern (aka Txp CMS) 4.0.6 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Body parameter in an article action. NOTE: some of these details are obtained from… | |||
| CVE-2008-5670 | 0.00 | — | 0.01 | Dec 19, 2008 | Textpattern (aka Txp CMS) 4.0.5 does not ask for the old password during a password reset, which makes it easier for remote attackers to change a password after hijacking a session. | |||
| CVE-2008-5669 | 0.00 | — | 0.02 | Dec 19, 2008 | index.php in the comments preview section in Textpattern (aka Txp CMS) 4.0.5 allows remote attackers to cause a denial of service via a long message parameter. | |||
| CVE-2008-5668 | 0.00 | — | 0.01 | Dec 19, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in Textpattern (aka Txp CMS) 4.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to setup/index.php or (2) the name parameter to index.php in the comments preview section. |
- risk 0.67cvss 9.8epss 0.07
An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
- risk 0.57cvss 8.8epss 0.00
TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload…
- risk 0.57cvss 8.8epss 0.01
TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content…
- risk 0.57cvss 8.8epss 0.01
Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the…
- risk 0.49cvss 7.5epss 0.01
textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.
- risk 0.42cvss 6.5epss 0.00
Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the…
- risk 0.41cvss 6.3epss 0.00
A security vulnerability has been detected in Textpattern up to 4.9.1. Affected by this vulnerability is the function mt_uploadImage of the file rpc/TXP_RPCServer.php of the component XML-RPC Handler. The manipulation of the argument file.name leads to path traversal. Remote…
- risk 0.40cvss 6.1epss 0.00
Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters…
- CVE-2011-5019Jan 5, 2012risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter.
- CVE-2010-3205Sep 3, 2010risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.
- CVE-2006-5615Oct 31, 2006risk 0.03cvss —epss 0.02
PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the txpcfg[txpath] parameter.
- CVE-2023-26852Apr 12, 2023risk 0.01cvss —epss 0.02
An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.
- CVE-2023-53911Dec 17, 2025risk 0.00cvss —epss 0.00
Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other…
- CVE-2023-50038Dec 28, 2023risk 0.00cvss —epss 0.01
There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.
- CVE-2023-36220Aug 7, 2023risk 0.00cvss —epss 0.03
Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a remote authenticated attacker to execute arbitrary code and gain access to sensitive information via the plugin Upload function.
- CVE-2023-24269Apr 28, 2023risk 0.00cvss —epss 0.01
An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file.
- CVE-2021-40642Jun 29, 2022risk 0.00cvss —epss 0.00
Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the…
- CVE-2021-40658Jun 14, 2022risk 0.00cvss —epss 0.01
Textpattern 4.8.7 is affected by a HTML injection vulnerability through “Content>Write>Body”.
- CVE-2021-44082Mar 29, 2022risk 0.00cvss —epss 0.03
textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file…
- CVE-2021-28002Aug 19, 2021risk 0.00cvss —epss 0.01
A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the…
- CVE-2021-28001Aug 19, 2021risk 0.00cvss —epss 0.01
A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting…
- CVE-2020-23239Jul 26, 2021risk 0.00cvss —epss 0.01
Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.
- CVE-2020-19510Jun 21, 2021risk 0.00cvss —epss 0.01
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
- CVE-2021-30209Apr 15, 2021risk 0.00cvss —epss 0.01
Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.
- CVE-2020-35854Jan 25, 2021risk 0.00cvss —epss 0.01
Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter.
- CVE-2020-29458Dec 2, 2020risk 0.00cvss —epss 0.01
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
- CVE-2015-8033Aug 14, 2020risk 0.00cvss —epss 0.01
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
- CVE-2015-8032Aug 14, 2020risk 0.00cvss —epss 0.01
In Textpattern 4.5.7, an unprivileged author can change an article's markup setting.
- CVE-2014-4737Oct 10, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Textpattern CMS before 4.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to setup/index.php.
- CVE-2011-3807Sep 24, 2011risk 0.00cvss —epss 0.01
Textpattern 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/txplib_db.php and certain other files.
- CVE-2008-5757Dec 30, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in textarea/index.php in Textpattern (aka Txp CMS) 4.0.6 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Body parameter in an article action. NOTE: some of these details are obtained from…
- CVE-2008-5670Dec 19, 2008risk 0.00cvss —epss 0.01
Textpattern (aka Txp CMS) 4.0.5 does not ask for the old password during a password reset, which makes it easier for remote attackers to change a password after hijacking a session.
- CVE-2008-5669Dec 19, 2008risk 0.00cvss —epss 0.02
index.php in the comments preview section in Textpattern (aka Txp CMS) 4.0.5 allows remote attackers to cause a denial of service via a long message parameter.
- CVE-2008-5668Dec 19, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Textpattern (aka Txp CMS) 4.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to setup/index.php or (2) the name parameter to index.php in the comments preview section.