VYPR

Vendor CVEs

Textpattern

All CVEs

34 total · sorted by risk
  • CVE-2018-7474CriMar 14, 2018
    risk 0.67cvss 9.8epss 0.07

    An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.

  • CVE-2021-47976HigMay 16, 2026
    risk 0.57cvss 8.8epss 0.00

    TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload…

  • CVE-2021-47943HigMay 10, 2026
    risk 0.57cvss 8.8epss 0.01

    TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content…

  • CVE-2021-47888HigJan 23, 2026
    risk 0.57cvss 8.8epss 0.01

    Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the…

  • CVE-2018-1000090HigMar 13, 2018
    risk 0.49cvss 7.5epss 0.01

    textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in context to the web server by exhausting server memory resources. This attack appear to be exploitable via Uploading a specially crafted XML file.

  • CVE-2026-30452MedApr 21, 2026
    risk 0.42cvss 6.5epss 0.00

    Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the…

  • CVE-2026-5344MedApr 2, 2026
    risk 0.41cvss 6.3epss 0.00

    A security vulnerability has been detected in Textpattern up to 4.9.1. Affected by this vulnerability is the function mt_uploadImage of the file rpc/TXP_RPCServer.php of the component XML-RPC Handler. The manipulation of the argument file.name leads to path traversal. Remote…

  • CVE-2026-32986MedMar 20, 2026
    risk 0.40cvss 6.1epss 0.00

    Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters…

  • CVE-2011-5019Jan 5, 2012
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter.

  • CVE-2010-3205Sep 3, 2010
    risk 0.03cvss epss 0.03

    PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.

  • CVE-2006-5615Oct 31, 2006
    risk 0.03cvss epss 0.02

    PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the txpcfg[txpath] parameter.

  • CVE-2023-26852Apr 12, 2023
    risk 0.01cvss epss 0.02

    An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by uploading a crafted PHP file.

  • CVE-2023-53911Dec 17, 2025
    risk 0.00cvss epss 0.00

    Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to inject malicious scripts. Attackers can insert JavaScript payloads into the excerpt, which will execute when the article is viewed by other…

  • CVE-2023-50038Dec 28, 2023
    risk 0.00cvss epss 0.01

    There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.

  • CVE-2023-36220Aug 7, 2023
    risk 0.00cvss epss 0.03

    Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a remote authenticated attacker to execute arbitrary code and gain access to sensitive information via the plugin Upload function.

  • CVE-2023-24269Apr 28, 2023
    risk 0.00cvss epss 0.01

    An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a crafted Zip file.

  • CVE-2021-40642Jun 29, 2022
    risk 0.00cvss epss 0.00

    Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via textpattern/lib/txplib_misc.php. The secure flag is not set for txp_login session cookie in the application. If the secure flag is not set, then the…

  • CVE-2021-40658Jun 14, 2022
    risk 0.00cvss epss 0.01

    Textpattern 4.8.7 is affected by a HTML injection vulnerability through “Content>Write>Body”.

  • CVE-2021-44082Mar 29, 2022
    risk 0.00cvss epss 0.03

    textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can use XSS to trigger remote code execution by uploading a webshell. To do so they must first steal the CSRF token before submitting a file…

  • CVE-2021-28002Aug 19, 2021
    risk 0.00cvss epss 0.01

    A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting the…

  • CVE-2021-28001Aug 19, 2021
    risk 0.00cvss epss 0.01

    A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to execute arbitrary code via a crafted payload entered into the URL field. The vulnerability is triggered by users visiting…

  • CVE-2020-23239Jul 26, 2021
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.

  • CVE-2020-19510Jun 21, 2021
    risk 0.00cvss epss 0.01

    Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.

  • CVE-2021-30209Apr 15, 2021
    risk 0.00cvss epss 0.01

    Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security verification, which may lead to obtaining system permissions.

  • CVE-2020-35854Jan 25, 2021
    risk 0.00cvss epss 0.01

    Textpattern 4.8.4 is affected by cross-site scripting (XSS) in the Body parameter.

  • CVE-2020-29458Dec 2, 2020
    risk 0.00cvss epss 0.01

    Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.

  • CVE-2015-8033Aug 14, 2020
    risk 0.00cvss epss 0.01

    In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.

  • CVE-2015-8032Aug 14, 2020
    risk 0.00cvss epss 0.01

    In Textpattern 4.5.7, an unprivileged author can change an article's markup setting.

  • CVE-2014-4737Oct 10, 2014
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Textpattern CMS before 4.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to setup/index.php.

  • CVE-2011-3807Sep 24, 2011
    risk 0.00cvss epss 0.01

    Textpattern 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by lib/txplib_db.php and certain other files.

  • CVE-2008-5757Dec 30, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in textarea/index.php in Textpattern (aka Txp CMS) 4.0.6 and earlier allows remote authenticated users to inject arbitrary web script or HTML via the Body parameter in an article action. NOTE: some of these details are obtained from…

  • CVE-2008-5670Dec 19, 2008
    risk 0.00cvss epss 0.01

    Textpattern (aka Txp CMS) 4.0.5 does not ask for the old password during a password reset, which makes it easier for remote attackers to change a password after hijacking a session.

  • CVE-2008-5669Dec 19, 2008
    risk 0.00cvss epss 0.02

    index.php in the comments preview section in Textpattern (aka Txp CMS) 4.0.5 allows remote attackers to cause a denial of service via a long message parameter.

  • CVE-2008-5668Dec 19, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in Textpattern (aka Txp CMS) 4.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO to setup/index.php or (2) the name parameter to index.php in the comments preview section.