CVE-2026-21393

MEDIUM4.8Cross-site scripting

Description

Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

Active

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

Low

Integrity (Subsequent System)

Low

Availability (Subsequent System)

None

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

Six Apart Ltd. / Movable Type Advanced (Software Edition)8.0.2 to 8.0.8 (8.0 series) – 8.0.2 to 8.0.8 (8.0 series)
Six Apart Ltd. / Movable Type Advanced (Software Edition)9.0.4 to 9.0.5 (9.0 series) – 9.0.4 to 9.0.5 (9.0 series)
Six Apart Ltd. / Movable Type Advanced (Software Edition)8.8.0 to 8.8.1 (8.8 series) – 8.8.0 to 8.8.1 (8.8 series)
Six Apart Ltd. / Movable Type (Cloud Edition)9.0.5 (9 series) – 9.0.5 (9 series)
Six Apart Ltd. / Movable Type (Cloud Edition)8.8.1 (8 series) – 8.8.1 (8 series)
Six Apart Ltd. / Movable Type Premium (Advanced Edition) (Software Edition)9.0.4 (MTP 9.0 series) – 9.0.4 (MTP 9.0 series)
Six Apart Ltd. / Movable Type Premium (Advanced Edition) (Software Edition)2.13 and earlier (MTP 2 series) – 2.13 and earlier (MTP 2 series)
Six Apart Ltd. / Movable Type Premium (Cloud Edition)9.0.5 (9 series) – 9.0.5 (9 series)
Six Apart Ltd. / Movable Type Premium (Cloud Edition)2.12 (MTP 2 series) – 2.12 (MTP 2 series)
Six Apart Ltd. / Movable Type Premium (Software Edition)2.13 and earlier (MTP 2 series) – 2.13 and earlier (MTP 2 series)
Six Apart Ltd. / Movable Type Premium (Software Edition)9.0.4 (MTP 9.0 series) – 9.0.4 (MTP 9.0 series)
Six Apart Ltd. / Movable Type (Software Edition)9.0.4 to 9.0.5 (9.0 series) – 9.0.4 to 9.0.5 (9.0 series)
Six Apart Ltd. / Movable Type (Software Edition)8.0.2 to 8.0.8 (8.0 series) – 8.0.2 to 8.0.8 (8.0 series)
Six Apart Ltd. / Movable Type (Software Edition)8.8.0 to 8.8.1 (8.8 series) – 8.8.0 to 8.8.1 (8.8 series)

CVE-2026-21393

Description

CVSS breakdown

Affected products

References