CVE-2026-30452

medium

Published 2026-04-21 · Modified 2026-05-13

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2

—

VIR risk

6.5

Description

Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textpattern/include/txp_article.php, an attacker can bypass authorization checks and overwrite content belonging to other users.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://textpattern.com/weblog/textpattern-491-released-security-fixes-patches-and-tweaks

Application impact

Vendor	Product	Versions	Fixed
textpattern	textpattern	`4.9.0`

References

https://github.com/textpattern/textpattern
https://textpattern.com/weblog/textpattern-491-released-security-fixes-patches-and-tweaks

CWEs

CWE-284

Verify integrity in audit chain (admin only). AS-IS.