Textpattern 4.9.1 Security Update: CVE-2026-29906 Stored XSS and Access Control Fix

Vulnerability Overview Textpattern version 4.9.1 has been released, including security fixes, patches, and improvements. It primarily addresses two security vulnerabilities: 1. Authenticated Stored XSS Vulnerability - Reported by Jan Jeffrie Galvez Saloman. - This vulnerability allows stored cross-site scripting attacks within Textpattern. 2. Access Control Regression Issue - Reported by Federico Fraschino. - The issue involves an access control regression in article management. Impact Scope Authenticated Stored XSS Vulnerability: - Affects all versions prior to Textpattern 4.9.1. - Upgrading to version 4.9.1 is strongly recommended. Access Control Regression Issue: - Affects Textpattern version 4.9.0. - Upgrading to version 4.9.1 is strongly recommended. Remediation Authenticated Stored XSS Vulnerability: - Upgrade to Textpattern version 4.9.1. - CVE ID: CVE-2026-29906. Access Control Regression Issue: - Upgrade to Textpattern version 4.9.1. - CVE ID: To be assigned. Upgrade Guide Back up website files and database before upgrading. Refer to the file for details of changes. Ensure you are using the latest PHP version for optimal performance and security. Download & Installation Download Textpattern 4.9.1 from textpattern.com or GitHub. Packages available in , , and formats. Refer to and for installation and upgrade instructions. Feedback & Support Users can provide feedback via the Textpattern Forum. Issue reports can be submitted through GitHub Issues. Additional Information Textpattern 4.9.1 is the first patch release in the 4.9 branch. Improvements have been made to article image handling and thumbnail generation. Resolves the issue encountered by MariaDB 11.8+ users. Future support for MariaDB is planned. Summary Textpattern version 4.9.1 fixes two critical security vulnerabilities; all users are strongly advised to upgrade to this version to ensure website security.

Goal Reached Thanks to every supporter — we hit 100%!

Textpattern 4.9.1 Security Update: CVE-2026-29906 Stored XSS and Access Control Fix