CVE-2026-32986

| EUVD-2026-13724 MEDIUM
2026-03-20 VulnCheck
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 24, 2026 - 15:54 vuln.today
Public exploit code
Analysis Generated
Mar 20, 2026 - 15:52 vuln.today
EUVD ID Assigned
Mar 20, 2026 - 15:52 euvd
EUVD-2026-13724
CVE Published
Mar 20, 2026 - 15:42 nvd
MEDIUM 6.1

Tags

XSS

Description

A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding of user-supplied input embedded within Atom feed XML elements. User-controlled parameters (e.g., category) are reflected into Atom fields such as <id> and <link href> without proper XML escaping. While the payload may not execute directly in modern browsers in raw XML context, it can execute when the feed is consumed by HTML-based feed readers, admin dashboards, or CMS aggregators that insert the feed content into the DOM using unsafe methods (e.g., innerHTML), resulting in JavaScript execution in a trusted context.

Analysis

A second-order XSS vulnerability exists in Textpattern CMS version 4.9.0 where user-supplied input (such as category parameters) is improperly sanitized and lacks contextual XML escaping in Atom feed XML elements like <id> and <link href>. While the payload does not execute directly in raw XML contexts within modern browsers, it becomes exploitable when feed readers, admin dashboards, or CMS aggregators consume the feed and insert its content into the DOM using unsafe methods like innerHTML, resulting in arbitrary JavaScript execution in a trusted context. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems running Textpattern CMS and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

51
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: +20

Vendor Status

Debian

textpattern
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

Share

CVE-2026-32986 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy