Skip to content

Textpattern

v4.9.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 3mo Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

cmf cms cms-framework content-management content-management-system php
+2 more
platform textpattern

Summary

AI summary

Resolved admin-side XSS vulnerability and access control regression in articles.

Full changelog
  • Maintenance release with security enhancements, general improvements and bug fixes.
  • Security: Resolved access control regression with articles. Many thanks to Federico Frascino.
  • Security: Resolved admin-side XSS vulnerability. Many thanks to Jan Jeffrie Galvez Salloman, aka '0xj4n'.
  • Changed: (Article)Image tags only output dimensions on demand.
  • Changed: <txp:article_image> skips empty images/thumbnails.
  • Changed: Valueless width/height/crop behaviour in (Article)Image tags.
  • Changed: Thumb path now permits virtual/multiple host setups.
  • Changed: Use publisher email and fallback if no/invalid sender is supplied (thanks, @jools-r ).
  • Fixed: Fatal error with UNIXTIME() changes in MariaDB 11.8+.
  • Fixed: Dynamic thumbnail MIME detection (thanks, rezozero/ambroisemaupate).
  • Fixed: PHP 5.6 support (thanks, pinalgirkar).
  • Fixed: Show template content even if theme is deleted (thanks, Mark Goodwin).
  • Fixed: Correct admin theme file scaffold for dynamic thumbnails.
  • Fixed: Reintroduce 'No' indicator if thumbnail is missing in Images list panel (thanks, @rwetzlmayr and @phiw13).
  • Fixed: Duplicate action only available for existing content.
  • Fixed: Assets created with no timestamp use time of creation, not Unix epoch.
  • Fixed: Internal errors with password reset email sending on PHP 8.5.
  • Added: (Article)Image thumbnails can output any supported format.
  • Vendors: jQuery UI 1.14.2.

Security Fixes

  • Resolved admin-side XSS vulnerability
  • Resolved access control regression with articles
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Textpattern

Get notified when new releases ship.

Sign up free

About Textpattern

Flexible, elegant and easy-to-use CMS.

All releases →

Related context

Beta — feedback welcome: [email protected]