{"id":"CVE-2026-32986","summary":"Textpattern CMS 4.9.0: Second-Order XSS via Atom Feed Injection","details":"Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like  and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods.","modified":"2026-07-08T07:32:32.559776069Z","published":"2026-03-20T15:42:04.053Z","database_specific":{"cwe_ids":["CWE-116","CWE-79"],"cna_assigner":"VulnCheck","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32986.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"4.9.0"},{"last_affected":"4.9.0"}]}]},"references":[{"type":"WEB","url":"https://textpattern.com/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32986.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32986"},{"type":"EVIDENCE","url":"https://packetstorm.news/files/id/216241/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/textpattern/textpattern","events":[{"introduced":"61f5e46ffa39394b0af15be3fcf2102be06816a9"},{"last_affected":"61f5e46ffa39394b0af15be3fcf2102be06816a9"}],"database_specific":{"source":"CPE_STRING","cpe":"cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*","extracted_events":[{"introduced":"4.9.0-NA"},{"last_affected":"4.9.0-NA"}]}}],"versions":["4.9.0-NA","4.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32986.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}