CVE-2026-33088
7.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Six Apart Ltd. | Movable Type | 9.1.0 and earlier | affected |
| Six Apart Ltd. | Movable Type | 9.0.6 and earlier | affected |
| Six Apart Ltd. | Movable Type | 8.8.2 and earlier | affected |
| Six Apart Ltd. | Movable Type | 8.0.9 and earlier | affected |
| Six Apart Ltd. | Movable Type Advanced | 9.1.0 and earlier | affected |
| Six Apart Ltd. | Movable Type Advanced | 9.0.6 and earlier | affected |
| Six Apart Ltd. | Movable Type Advanced | 8.8.2 and earlier | affected |
| Six Apart Ltd. | Movable Type Advanced | 8.0.9 and earlier | affected |
| Six Apart Ltd. | Movable Type Premium | 9.1.0 and earlier | affected |
| Six Apart Ltd. | Movable Type Premium | 9.0.6 and earlier | affected |
| Six Apart Ltd. | Movable Type Premium Advanced Edition | 9.1.0 and earlier | affected |
| Six Apart Ltd. | Movable Type Premium Advanced Edition | 9.0.6 and earlier | affected |
| Six Apart Ltd. | Movable Type Premium | 2.14 and earlier | affected |
| Six Apart Ltd. | Movable Type Premium Advanced Edition | 2.14 and earlier | affected |
| Six Apart Ltd. | Movable Type Premium (MT8-based) | 2.14 and earlier | affected |
| Six Apart Ltd. | Movable Type | 5.1 to 5.18 | affected |
| Six Apart Ltd. | Movable Type | 5.2 | affected |
| Six Apart Ltd. | Movable Type | 5.2.1 to 5.2.13 | affected |
| Six Apart Ltd. | Movable Type | 6.0 | affected |
| Six Apart Ltd. | Movable Type | 6.0.1 to 6.8.8 | affected |
| Six Apart Ltd. | Movable Type | 7 r.4207 to r.5510 | affected |
| Six Apart Ltd. | Movable Type | 8.4.0 to 8.4.4 | affected |
| Six Apart Ltd. | Movable Type | 1.0 to 1.68 | affected |
Weaknesses
- CWE-89: Improper neutralization of special elements used in an SQL command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://movabletype.org/news/2026/04/mt-907-released.html
- https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html
- https://jvn.jp/en/jp/JVN66473735/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.