CVE-2026-32986

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32986
Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.

6.1 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://packetstorm.news/files/id/216241/
https://textpattern.com/
Configurations

No configuration.

History

20 Mar 2026, 18:16

Type Values Removed Values Added
Summary (en) A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding of user-supplied input embedded within Atom feed XML elements. User-controlled parameters (e.g., category) are reflected into Atom fields such as <id> and <link href> without proper XML escaping. While the payload may not execute directly in modern browsers in raw XML context, it can execute when the feed is consumed by HTML-based feed readers, admin dashboards, or CMS aggregators that insert the feed content into the DOM using unsafe methods (e.g., innerHTML), resulting in JavaScript execution in a trusted context. (en) Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.

20 Mar 2026, 16:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 16:16

Updated : 2026-03-24 15:54

NVD link : CVE-2026-32986

Mitre link : CVE-2026-32986

CVE.ORG link : CVE-2026-32986

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-116

Improper Encoding or Escaping of Output