Team Textpattern is pleased to announce the release of Textpattern 4.9.1, available for immediate download.

Release overview

Textpattern 4.9.1 is a patch release with security fixes, some patches & refinements to functionality introduced in Textpattern 4.9.0, a fix for MariaDB 11.8 users, and sundry bug fixes.

If you have a Textpattern website, we recommend upgrading to Textpattern 4.9.1 to fix 2 reported security issues. Both issues were reported to us by third-party security researchers. We are grateful to both researchers for their considerations in responsible reporting and co-ordinated disclosure.

Security fix: authenticated stored XSS

Many thanks to Jan Jeffrie Galvez Salloman, aka ‘0xj4n’ for responsibly reporting an issue relating to an authenticated stored XSS vulnerability. We are grateful for their clear and thorough report in outlining the issue, which allowed Textpattern developers to efficiently reproduce the issue, isolate a fix and resolve it. At the time of article publication, we are anticipating a CVE reference for this issue. This article will be updated to reflect the CVE details when we have them.

Versions of Textpattern prior to 4.9.1 are affected by this issue, and upgrading is highly recommended.

Security fix: access control regression

Many thanks to Federico Frascino for responsibly reporting an access control regression issue relating to article management. We are grateful for their clear and thorough report in outlining the issue, which allowed Textpattern developers to efficiently reproduce the issue, isolate a fix and resolve it. At the time of article publication, we are anticipating a CVE reference for this issue. This article will be updated to reflect the CVE details when we have them.

Textpattern 4.9.0 is affected by this issue and upgrading is highly recommended.

Versions of Textpattern prior to 4.9.0 are not affected by this issue.

Upgrading Textpattern

As with all Textpattern upgrades, please refer to the current Textpattern system requirements and ensure you have known-good backups of your site files and database, including all uploaded content such as images & files. Before you make any changes, please refer to the accompanying release notes in HISTORY.txt to ensure you understand what has changed in this release, along with any releases that may have been skipped. You can check your current Textpattern version from the bottom of any page on the admin-side.

Thank you to everyone who contributed to this and prior Textpattern releases with reporting & resolving bugs, providing & improving language translations and overall improvements to the Textpattern ecosystem. We’re grateful to all contributors offering us their expertise, time, attention, words, donations, signal boosting, evangelism, cheerleading and all other activities that fuel our project.

Textpattern’s infrastructure and continued development is kindly supported by DigitalOcean, 1Password and BrowserStack. We are grateful for their ongoing involvement & support for Textpattern, and our global community of authors, publishers, designers and administrators. Thank you!

There is no spyware, adware, user tracking or other junk in Textpattern. We work hard to keep Textpattern fast, nimble, secure and ready for pretty much anything you can throw at it. You can show your appreciation by sponsoring Textpattern on GitHub or supporting Textpattern on Open Collective. Alternatively, you can donate to Team Textpattern with PayPal.

We have a friendly forum for a Textpattern sites showcase – tell us what you’ve made with Textpattern, we’d love to hear from you. Even a ‘hello!’ or ‘thanks!’ helps us to gauge how far Textpattern has travelled, so don’t be a stranger.

Textpattern system requirements

Textpattern 4.9 requires a minimum of PHP 5.6 as part of the system requirements, though using a vendor-supported PHP version is highly recommended. There are notable performance gains with modern PHP versions, as well as a variety of security considerations.

Download Textpattern 4.9.1

You can download Textpattern 4.9.1 from textpattern.com or GitHub. Both locations provide the same compressed archive files, along with checksums for validating your download.

Textpattern 4.9.1 is available as a .zip archive intended for single-site instances. Most Textpattern administrators will find this archive format appropriate for their needs.

Textpattern administrators wishing to use Textpattern’s multi-site capabilities or having a preference for a UNIX/Linux-centric archive format can download either the .tar.gz or .tar.xz archive as they include the necessary extra multi-site support files and symbolic links.

From Textpattern 4.9.0, we offer a .tar.xz archive for further byte savings. The XZ compression format’s storage algorithm provides a considerably smaller download than the .tar.gz archive. The unpacked contents of the .tar.xz archive are identical to the .tar.gz archive’s unpacked contents.

From textpattern.com

You can download Textpattern 4.9.1 from textpattern.com using the following links,

File download

textpattern-4.9.1.zip

SHA256 checksum e7307661548f91ffd9b71b04f09d49316271976f2c85694bf62004a77c637c2a
File size 4021 kB | Created
File download

textpattern-4.9.1.tar.gz

SHA256 checksum b7d7e429946be81877670b0348f433d74daeb537a3221e6396a6dd0a8f4b20b4
File size 3680 kB | Created
File download

textpattern-4.9.1.tar.xz

SHA256 checksum 501f13364a8298df857db7616f28d38fac87c1ffeb063508043d8b1dd2303ba4
File size 2375 kB | Created

From GitHub

Install

Please refer to the Textpattern INSTALL.txt for a comprehensive walkthrough. This file is included in the Textpattern archive and linked here for your convenience.

Upgrade

We have a forum thread dedicated to Textpattern 4.9.1 feedback. We gather field reports from fellow Textpattern administrators and users that may assist or guide you with upgrading.

Please refer to the Textpattern UPGRADE.txt for the upgrade procedure. This file is included in the Textpattern archive and linked here for your convenience.

As with any software update, please ensure you verify working backups of Textpattern sites you are upgrading before undertaking any modifications. This includes the Textpattern database and files, plus any file and/or image uploads.

The vast majority of Textpattern upgrades are smooth sailing and occur without incident, but on the rare occasion something does go astray it’s preferable to safely restore the known-good version from your full site backup and troubleshoot any issues while your site continues to be available on the prior version.

What’s new in Textpattern 4.9.1?

Textpattern 4.9.1 is the first patch release of the 4.9 branch. It follows less than 1 month after the release of Textpattern 4.9.0 in December 2025. The relatively short release cadence is a result of two security issues discovered in the administration area of Textpattern.

In addition to addressing the security reports, we have improved article image handling and thumbnail generation based on user feedback. MariaDB 11.8+ users encountered a UNIXTIME() issue with Textpattern 4.9.0. While we do not officially support MariaDB at the present time, we acknowledge that many hosting organisations provide MariaDB in place of Oracle MySQL, and accordingly we have resolved the reported UNIXTIME() issue.

We are considering support scope for MariaDB in future releases of Textpattern. We will communicate any support changes in due course.

We are confident that Textpattern works well on modern MySQL & PHP, and we will continue to work towards patch releases of Textpattern 4.9 to provide compatibility with PHP’s annual release and MySQL’s next Long Term Support (LTS) release scheduled for mid-2026. By the end of 2026, we expect to have general availability for PHP 8.6 and MySQL 9.7.

The Textpattern HISTORY.txt outlines changes for this and all previous Textpattern releases, along with their respective release dates. We recommend you read the list of changes to understand how this may affect your current sites, especially if you’re upgrading from older versions. Please note that while upgrades from very old releases of Textpattern are possible, you may need to perform a multi-stage upgrade.

If you require clarification on any aspect of the release notes, we recommend you seek advice before starting a site upgrade. The Textpattern support forum is an excellent place to start, and the Textpattern user documentation provides examples, explanations and background information.

The following lists are cherry-picked items from the HISTORY.txt to provide an overview for interested parties.

Headlines

  • Security: Resolved access control regression with articles. Many thanks to Federico Frascino.
  • Security: Resolved admin-side XSS vulnerability. Many thanks to Jan Jeffrie Galvez Salloman, aka ‘0xj4n’.

Image Thumbnails

  • Added: Ability to output thumbnails of any supported format from the original full-size uploaded image.
  • Changed: Thumb path now permits virtual/multiple host setups too.
  • Fixed: Dynamic thumbnail MIME detection (thanks, rezozero/ambroisemaupate).
  • Fixed: Correct admin theme file scaffold for dynamic thumbnails.
  • Fixed: The ‘no’ indicator for when a thumbnail is intentionally missing.

Tags

  • Changed: (Article)Image tags only output dimensions on demand.
  • Changed: <txp:article_image> skips empty images/thumbnails.
  • Changed: Valueless width/height/crop behaviour in (Article)Image tags.

User Experience

  • Fixed: Duplicate action only available for existing content.

Internals

  • Fixed: Assets created without a timestamp use time of creation, not epoch.
  • Fixed: Correct admin theme file scaffold for dynamic thumbnails.
  • Fixed: Fatal error with UNIXTIME() changes in MariaDB 11.8+.
  • Fixed: PHP 5.6 support (thanks, pinalgirkar).

Feedback

We are particularly interested in feedback on these areas:

  • User experience with dynamic thumbnails.
  • User experience with Textpattern on PHP 8.5 compared to previous versions of PHP.
  • Compatibility and usability with end-of-life’d PHP releases, factoring in the Textpattern system requirements.
  • Usability of the new tag attributes (refer to the Textpattern HISTORY.txt for details).
  • Any unexpected issues appearing in the front-side of your Textpattern sites.
  • Any unexpected issues shown in admin-side Diagnostics.

We have a dedicated support forum thread for Textpattern 4.9.1 feedback where Textpattern users, experts & developers gather and address feedback. We are grateful for all feedback, even a short confirmation that your upgrade(s) completed as expected is appreciated.

We maintain Textpattern issues at GitHub if you would like further insight into where we’re heading with this release and future work.

Further notes

If you find anything not working correctly or wish to propose improvements, please file a report on GitHub. There are templates for feature requests and bug reports.

Textpattern Demo

The Textpattern demo has been updated to offer Textpattern test drives. The demo sites are rebuilt every few hours using the Textpattern auto-installer.

We hope you enjoy this release and it serves you, your sites and clients well!

Thank you for your interest in Textpattern!