CVE-2026-33088

Summary

Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.

Affected Software

VendorProductVersion RangeStatus
Six Apart Ltd.Movable Type9.1.0 and earlieraffected
Six Apart Ltd.Movable Type9.0.6 and earlieraffected
Six Apart Ltd.Movable Type8.8.2 and earlieraffected
Six Apart Ltd.Movable Type8.0.9 and earlieraffected
Six Apart Ltd.Movable Type Advanced9.1.0 and earlieraffected
Six Apart Ltd.Movable Type Advanced9.0.6 and earlieraffected
Six Apart Ltd.Movable Type Advanced8.8.2 and earlieraffected
Six Apart Ltd.Movable Type Advanced8.0.9 and earlieraffected
Six Apart Ltd.Movable Type Premium9.1.0 and earlieraffected
Six Apart Ltd.Movable Type Premium9.0.6 and earlieraffected
Six Apart Ltd.Movable Type Premium Advanced Edition9.1.0 and earlieraffected
Six Apart Ltd.Movable Type Premium Advanced Edition9.0.6 and earlieraffected
Six Apart Ltd.Movable Type Premium2.14 and earlieraffected
Six Apart Ltd.Movable Type Premium Advanced Edition2.14 and earlieraffected
Six Apart Ltd.Movable Type Premium (MT8-based)2.14 and earlieraffected
Six Apart Ltd.Movable Type5.1 to 5.18affected
Six Apart Ltd.Movable Type5.2affected
Six Apart Ltd.Movable Type5.2.1 to 5.2.13affected
Six Apart Ltd.Movable Type6.0affected
Six Apart Ltd.Movable Type6.0.1 to 6.8.8affected
Six Apart Ltd.Movable Type7 r.4207 to r.5510affected
Six Apart Ltd.Movable Type8.4.0 to 8.4.4affected
Six Apart Ltd.Movable Type1.0 to 1.68affected

Weaknesses

  • CWE-89: Improper neutralization of special elements used in an SQL command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References