CVE-2026-32986 is a second-order cross-site scripting vulnerability identified in Textpattern CMS version 4.9.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of Atom feed XML elements. Specifically, parameters such as 'category' can contain malicious payloads that are not properly escaped before being embedded into Atom feed fields like <category> and <title>. When feed readers or CMS aggregators consume these feeds, they often insert the feed content into the Document Object Model (DOM) using unsafe methods that do not sanitize or encode the input, allowing embedded JavaScript to execute in the context of the user. This second-order nature means the malicious input is stored and later executed when the feed is processed, rather than immediately upon submission. The vulnerability does not require any authentication or privileges to exploit, but user interaction is necessary as the victim must consume the malicious feed. The CVSS 4.0 base score is 5.1 (medium), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction and limited impact on confidentiality and integrity. No known exploits are currently reported in the wild. The flaw is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output).

The primary impact of this vulnerability is the potential execution of arbitrary JavaScript code in the context of users consuming the malicious Atom feed. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. Since the attack vector is via feed consumption, any system or user that aggregates or displays Atom feeds from vulnerable Textpattern CMS instances is at risk. The scope includes both the CMS administrators who may unknowingly publish malicious content and the end users or systems consuming the feeds. Although the vulnerability does not directly compromise the CMS server or backend data, the client-side impact can be significant, especially if feed readers or aggregators are widely used in an organization. The medium severity rating reflects that while the attack requires user interaction, the ease of exploitation and potential for client-side compromise pose a meaningful risk. Organizations relying on Textpattern CMS 4.9.0 for content distribution via Atom feeds may face reputational damage, data leakage, or further exploitation through chained attacks.

To mitigate this vulnerability, organizations should first upgrade to a patched version of Textpattern CMS once available, as no patch links are currently provided. In the interim, administrators should implement strict input validation and output encoding for all user-supplied data, especially parameters that are embedded into Atom feeds. Employing a whitelist approach for allowed characters in feed parameters like 'category' can reduce injection risk. Additionally, configuring feed readers and CMS aggregators to sanitize or escape feed content before DOM insertion can prevent script execution. Using Content Security Policy (CSP) headers to restrict script execution from untrusted sources can further reduce impact. Monitoring feed content for suspicious or unexpected scripts and restricting feed consumption to trusted sources are also recommended. Finally, educating users about the risks of consuming untrusted feeds and encouraging cautious interaction can help limit exploitation opportunities.