CVE-2026-33088

Description

Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.

CVSS breakdown

Affected products

• Six Apart Ltd. / Movable Type9.1.0 and earlier – 9.1.0 and earlier
• Six Apart Ltd. / Movable Type9.0.6 and earlier – 9.0.6 and earlier
• Six Apart Ltd. / Movable Type8.8.2 and earlier – 8.8.2 and earlier
• Six Apart Ltd. / Movable Type8.0.9 and earlier – 8.0.9 and earlier
• Six Apart Ltd. / Movable Type5.1 to 5.18 – 5.1 to 5.18
• Six Apart Ltd. / Movable Type5.2 – 5.2
• Six Apart Ltd. / Movable Type5.2.1 to 5.2.13 – 5.2.1 to 5.2.13
• Six Apart Ltd. / Movable Type6.0 – 6.0
• Six Apart Ltd. / Movable Type6.0.1 to 6.8.8 – 6.0.1 to 6.8.8
• Six Apart Ltd. / Movable Type7 r.4207 to r.5510 – 7 r.4207 to r.5510
• Six Apart Ltd. / Movable Type8.4.0 to 8.4.4 – 8.4.0 to 8.4.4
• Six Apart Ltd. / Movable Type1.0 to 1.68 – 1.0 to 1.68
• Six Apart Ltd. / Movable Type Advanced9.0.6 and earlier – 9.0.6 and earlier
• Six Apart Ltd. / Movable Type Advanced8.0.9 and earlier – 8.0.9 and earlier
• Six Apart Ltd. / Movable Type Advanced8.8.2 and earlier – 8.8.2 and earlier
• Six Apart Ltd. / Movable Type Advanced9.1.0 and earlier – 9.1.0 and earlier
• Six Apart Ltd. / Movable Type Premium2.14 and earlier – 2.14 and earlier
• Six Apart Ltd. / Movable Type Premium9.1.0 and earlier – 9.1.0 and earlier
• Six Apart Ltd. / Movable Type Premium9.0.6 and earlier – 9.0.6 and earlier
• Six Apart Ltd. / Movable Type Premium (Advanced Edition)9.1.0 and earlier – 9.1.0 and earlier
• Six Apart Ltd. / Movable Type Premium (Advanced Edition)9.0.6 and earlier – 9.0.6 and earlier
• Six Apart Ltd. / Movable Type Premium (Advanced Edition)2.14 and earlier – 2.14 and earlier
• Six Apart Ltd. / Movable Type Premium (MT8-based)2.14 and earlier – 2.14 and earlier

References

• MISChttps://movabletype.org/news/2026/04/mt-907-released.html
• MISChttps://www.sixapart.jp/movabletype/news/2026/04/08-1100.html
• MISChttps://jvn.jp/en/jp/JVN66473735/