CVE-2026-32986

Name of the Vulnerable Software and Affected Versions Textpattern CMS version 4.9.0

Description Textpattern CMS version 4.9.0 is affected by a second-order cross-site scripting issue. This allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input within Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like <title> and <link>, resulting in JavaScript execution when feed readers or CMS aggregators consume the feed and insert content into the Document Object Model (DOM) using unsafe methods.

Recommendations Update to a newer version that contains a fix for this vulnerability.