CVE-2021-47976 TextPattern CMS 4.9.0-dev Authenticated Remote Code Execution via Plugin Upload

TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to...

CVE-2021-47976 TextPattern CMS 4.9.0-dev Authenticated Remote Code Execution via Plugin Upload

TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to...

CVE-2026-30452

Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in...

CVE-2026-32986

Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category th...

File upload vulnerability in tx***_fi***.php file in TextpatternCMS backend

TextpatternCMS is a content management system written in PHP. A file upload vulnerability exists in the txfi.php file in the backend of TextpatternCMS. It allows an attacker to upload a webshell and gain server privileges...