{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30452", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T16:32:19.608Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T16:32:19.608Z"}, "descriptions": [{"lang": "en", "value": "Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textpattern/include/txp_article.php, an attacker can bypass authorization checks and overwrite content belonging to other users."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/textpattern/textpattern"}, {"url": "https://textpattern.com/weblog/textpattern-491-released-security-fixes-patches-and-tweaks"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textpattern/include/txp_article.php, an attacker can bypass authorization checks and overwrite content belonging to other users."}], "id": "CVE-2026-30452", "lastModified": "2026-04-21T17:16:36.303", "metrics": {}, "published": "2026-04-21T17:16:36.303", "references": [{"source": "cve@mitre.org", "url": "https://github.com/textpattern/textpattern"}, {"source": "cve@mitre.org", "url": "https://textpattern.com/weblog/textpattern-491-released-security-fixes-patches-and-tweaks"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.9.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "textpattern", "vendor": "textpattern"}], "analysis": {"en": {"generated_at": "2026-04-21T23:12:09.061501+00:00", "value": {"mitigation_remediation": ["Apply the official patch released in Textpattern CMS 4.9.1 or later to fix the broken access control issue.", "If a patch is not immediately deployable, restrict duplicate-and-save functionality for low\u2011privilege user groups using the CMS permission settings to block the ability to manipulate article IDs.", "Configure your web server to restrict direct access to txp_article.php or use URL rewriting rules to prevent unauthenticated manipulation of article identifiers."], "summary": {"action": "Patch immediately", "impact": "Unauthorized modification of content owned by higher-privilege users via broken access control"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Textpattern CMS version 4.9.0 and potentially earlier releases that have not applied the patch included in the 4.9.1 security release. It specifically targets the article management subsystem located in txp_article.php and the duplicate-and-save operation exposed to authenticated users.", "description_and_impact": "Textpattern CMS 4.9.0 contains a broken access control flaw that enables authenticated users with low privileges to alter articles belonging to users with higher privileges. The vulnerability arises when the article ID parameter is manipulated during the duplicate-and-save workflow in txp_article.php, allowing an attacker to bypass authorization checks and overwrite target content. This flaw can be leveraged to tamper with confidential or strategically important articles, impacting the integrity of published material and potentially leading to misinformation or loss of trust.", "risk_and_exploitability": "Although EPSS data is unavailable and the vulnerability is not listed in CISA KEV, the flaw permits privilege escalation within the CMS, enabling attackers to modify content that would otherwise be protected. Based on the description, the likely attack vector is an authenticated user who can control the article ID parameter during duplication. The high potential for compromising content integrity suggests a severe risk posture, warranting immediate attention."}}}}, "created": "2026-04-21T17:30:37.395889+00:00", "updated": "2026-04-21T23:15:03.127478+00:00", "vendors": ["textpattern", "textpattern$PRODUCT$textpattern"]}