CVE-2026-32986

Publication date

2026-03-20 15:42:04

Family

VulnCheck

State

PUBLISHED

Description

A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding of user-supplied input embedded within Atom feed XML elements. User-controlled parameters (e.g., category) are reflected into Atom fields such as and without proper XML escaping. While the payload may not execute directly in modern browsers in raw XML context, it can execute when the feed is consumed by HTML-based feed readers, admin dashboards, or CMS aggregators that insert the feed content into the DOM using unsafe methods (e.g., innerHTML), resulting in JavaScript execution in a trusted context.