Description
TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function.
Published: 2026-05-10
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TextPattern CMS version 4.8.7 contains a flaw classified as CWE-434, permitting authenticated attackers to upload arbitrary PHP files through the CMS’s file upload feature. When a malicious script is uploaded, the attacker can access it via the /textpattern/files/ directory and cause the web server to execute the code, enabling arbitrary command execution with the privileges of the web server process. The impact is therefore a full compromise of the affected installation, as the attacker can run any system command.

Affected Systems

The only affected product explicitly listed is TextPattern CMS 4.8.7. No other versions are mentioned in the vendor or CPE data. Consequently, systems running this exact version are at risk unless identical unpatched code paths exist in other releases.

Risk and Exploitability

The CVSS score of 8.7 classifies the vulnerability as high severity. While no EPSS score is reported, public exploits are available on exploit‑db, indicating that the flaw has been leveraged in the wild. The attack requires successful authentication to the CMS and use of the file‑upload function, so the vector is authenticated remote. Because the uploaded PHP shell is executed with web‑server privileges, any command can be run. The vulnerability is not present in the CISA KEV catalog, but the high score and existing proof‑of‑concepts warrant prompt remediation.

Generated by OpenCVE AI on May 10, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade TextPattern CMS to a version that removes the ability to upload and execute PHP files.
  • Configure the CMS to reject uploads with a .php extension or otherwise disallow code execution within uploaded content.
  • Adjust the web‑server configuration so that the /textpattern/files/ directory is served as static content only, disabling execution of .php files or applying a noexec flag.
  • Consider moving the upload directory outside the web root or setting restrictive file permissions to further reduce the risk of accidental execution.

Generated by OpenCVE AI on May 10, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function.
Title TextPattern CMS 4.8.7 Remote Code Execution via File Upload
First Time appeared Textpattern
Textpattern textpattern
Weaknesses CWE-434
CPEs cpe:2.3:a:textpattern:textpattern:4.8.7:-:*:*:*:*:*:*
Vendors & Products Textpattern
Textpattern textpattern
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Textpattern Textpattern
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:59.549Z

Reserved: 2026-02-01T11:24:18.718Z

Link: CVE-2021-47943

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:30.627

Modified: 2026-05-10T13:16:30.627

Link: CVE-2021-47943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses