CVE ID :CVE-2026-32986 Published : March 20, 2026, 3:42 p.m. | 30 minutes ago Description :A Second-Order Cross-Site Scripting (XSS) vulnerability exists in Textpattern CMS version 4.9.0 due to improper sanitization and contextual encoding of user-supplied input embedded within Atom feed XML elements. User-controlled parameters (e.g., category) are reflected into Atom fields such as and without proper XML escaping. While the payload may not execute directly in modern browsers in raw XML context, it can execute when the feed is consumed by HTML-based feed readers, admin dashboards, or CMS aggregators that insert the feed content into the DOM using unsafe methods (e.g., innerHTML), resulting in JavaScript execution in a trusted context. Severity: 6.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...