TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution.
Security readout for executives and security teams
Plain-English summary
TextPattern CMS 4.9.0-dev has a high-severity flaw where a logged-in attacker can abuse plugin upload handling to place PHP code on the server. If exploited, this can lead to full compromise of the website and underlying application data.
Executive priority
Prioritize within the current remediation cycle if TextPattern CMS 4.9.0-dev is present. The risk is high because exploitation requires only authenticated access and can lead to server-side code execution.
Technical view
The reported issue affects TextPattern CMS 4.9.0-dev. An authenticated attacker can use the plugin upload flow, including a CSRF token from the plugin event page, to upload arbitrary PHP into textpattern/tmp/ and execute code. CVSS is 8.8, with low attack complexity and low privileges required.
Likely exposure
Exposure appears limited to TextPattern CMS 4.9.0-dev deployments, especially systems where untrusted or compromised authenticated users can access plugin upload functionality. The sources do not identify other affected versions.
Exploitation context
A public ExploitDB reference exists, but the source bundle does not show CISA KEV listing or active exploitation evidence. Treat this as credible public exploit availability, not confirmed in-the-wild exploitation.
Researcher notes
The CVE record was published on 2026-05-16 and updated on 2026-05-18. CWE is listed as CWE-352, but the described impact centers on authenticated arbitrary PHP upload via plugin functionality. No patch version is provided in the bundle.
Mitigation direction
Identify and remove any TextPattern CMS 4.9.0-dev internet exposure.
Check official Textpattern guidance for a supported fixed version or remediation.
Restrict administrative and plugin upload access to trusted users only.
Review textpattern/tmp/ for unexpected PHP files.
Preserve logs and artifacts before cleanup if compromise is suspected.
Validation and detection
Inventory TextPattern CMS installations and confirm exact version strings.
Identify accounts with plugin upload or administrative access.
Review web server logs for unusual plugin upload activity.
Inspect textpattern/tmp/ for unauthorized PHP files.
Confirm whether vendor guidance names a fixed release or workaround.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-352: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.