CVE-2018-7474 — CVSS 9.8 (critical): An issue was discovered in Textpattern CMS 4.6.2 and earlier. It is possible to inject SQL code in the variable "qty" on the page index.php.
CVE-2023-24269 — CVSS 8.8 (high): An arbitrary file upload vulnerability in the plugin upload function of Textpattern v4.8.8 allows attackers to execute arbitrary code via a…
CVE-2023-50038 — CVSS 8.8 (high): There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.
CVE-2021-44082 — CVSS 8.3 (high): textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS) via /textpattern/index.php,Body. A remote and unauthenticated attacker can…
CVE-2006-5615 — CVSS 7.5 (high): PHP remote file inclusion vulnerability in publish.php in Textpattern 1.19, when register_globals is enabled, allows remote attackers to…
CVE-2010-3205 — CVSS 7.5 (high): PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a…
CVE-2018-1000090 — CVSS 7.5 (high): textpattern version version 4.6.2 contains a XML Injection vulnerability in Import XML feature that can result in Denial of service in…
CVE-2023-26852 — CVSS 7.2 (high): An arbitrary file upload vulnerability in the upload plugin of Textpattern v4.8.8 and below allows attackers to execute arbitrary code by…
CVE-2023-36220 — CVSS 7.2 (high): Directory Traversal vulnerability in Textpattern CMS v4.8.8 allows a remote authenticated attacker to execute arbitrary code and gain…
CVE-2008-5670 — CVSS 6.8 (medium): Textpattern (aka Txp CMS) 4.0.5 does not ask for the old password during a password reset, which makes it easier for remote attackers to…
CVE-2026-30452 — CVSS 6.5 (medium): Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with…
CVE-2021-30209 — CVSS 6.5 (medium): Textpattern V4.8.4 contains an arbitrary file upload vulnerability where a plug-in can be loaded in the background without any security…
CVE-2026-32986 — CVSS 6.1 (medium): Textpattern CMS version 4.9.0 contains a second-order cross-site scripting vulnerability that allows attackers to inject malicious scripts…
CVE-2021-28001 — CVSS 5.4 (medium): A cross-site scripting vulnerability was discovered in the Comments parameter in Textpattern CMS 4.8.4 which allows remote attackers to…
CVE-2023-53911 — CVSS 5.4 (medium): Textpattern CMS 4.8.8 contains a stored cross-site scripting vulnerability in the article excerpt field that allows authenticated users to…
CVE-2021-28002 — CVSS 5.4 (medium): A persistent cross-site scripting vulnerability was discovered in the Excerpt parameter in Textpattern CMS 4.9.0 which allows remote…
CVE-2015-8033 — CVSS 5.3 (medium): In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
CVE-2008-5669 — CVSS 5.0 (medium): index.php in the comments preview section in Textpattern (aka Txp CMS) 4.0.5 allows remote attackers to cause a denial of service via a…
CVE-2011-3807 — CVSS 5.0 (medium): Textpattern 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the…
CVE-2020-23239 — CVSS 4.8 (medium): Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.
CVE-2014-4737 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Textpattern CMS before 4.5.7 allows remote attackers to inject arbitrary web script or HTML via…
CVE-2021-40642 — CVSS 4.3 (medium): Textpattern CMS v4.8.7 and older vulnerability exists through Sensitive Cookie in HTTPS Session Without 'Secure' Attribute via…
CVE-2011-5019 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows…
CVE-2008-5757 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in textarea/index.php in Textpattern (aka Txp CMS) 4.0.6 and earlier allows remote authenticated…