CVE-2026-22875

Summary

Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

Affected Software

VendorProductVersion RangeStatus
Six Apart Ltd.Movable Type (Software Edition)9.0.4 to 9.0.5 (9.0 series)affected
Six Apart Ltd.Movable Type (Software Edition)8.8.0 to 8.8.1 (8.8 series)affected
Six Apart Ltd.Movable Type (Software Edition)8.0.2 to 8.0.8 (8.0 series)affected
Six Apart Ltd.Movable Type Advanced (Software Edition)9.0.4 to 9.0.5 (9.0 series)affected
Six Apart Ltd.Movable Type Advanced (Software Edition)8.8.0 to 8.8.1 (8.8 series)affected
Six Apart Ltd.Movable Type Advanced (Software Edition)8.0.2 to 8.0.8 (8.0 series)affected
Six Apart Ltd.Movable Type Premium (Software Edition)9.0.4 (MTP 9.0 series)affected
Six Apart Ltd.Movable Type Premium (Software Edition)2.13 and earlier (MTP 2 series)affected
Six Apart Ltd.Movable Type Premium (Advanced Edition) (Software Edition)9.0.4 (MTP 9.0 series)affected
Six Apart Ltd.Movable Type Premium (Advanced Edition) (Software Edition)2.13 and earlier (MTP 2 series)affected
Six Apart Ltd.Movable Type (Cloud Edition)9.0.5 (9 series)affected
Six Apart Ltd.Movable Type (Cloud Edition)8.8.1 (8 series)affected
Six Apart Ltd.Movable Type Premium (Cloud Edition)9.0.5 (9 series)affected
Six Apart Ltd.Movable Type Premium (Cloud Edition)2.12 (MTP 2 series)affected

Weaknesses

  • CWE-79: Cross-site scripting (XSS)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References