Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
CVE-2021-47976: TextPattern CMS 4.9.0-dev allows attackers to run malicious code
CVE-2021-47976
Summary
Authenticated attackers can upload and run malicious PHP files on a TextPattern CMS server. This allows them to potentially take control of the server or steal sensitive data. To protect your server, update to a secure version of TextPattern CMS or apply the necessary patches.
Original title
TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers c...
Original description
TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 16 May 2026 · Updated: 30 May 2026 · First seen: 16 May 2026