CVE-2026-44392

Summary

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.

Affected Software

VendorProductVersion RangeStatus
Six Apart Ltd.Movable Type9.1.1 and earlieraffected
Six Apart Ltd.Movable Type9.0.7 and earlieraffected
Six Apart Ltd.Movable Type8.8.3 and earlieraffected
Six Apart Ltd.Movable Type8.0.10 and earlieraffected
Six Apart Ltd.Movable Type Advanced9.1.1 and earlieaffected
Six Apart Ltd.Movable Type Advanced9.0.7 and earlieraffected
Six Apart Ltd.Movable Type Advanced8.8.3 and earlieraffected
Six Apart Ltd.Movable Type Advanced8.0.10 and earlieraffected
Six Apart Ltd.Movable Type Premium9.1.1 and earlieraffected
Six Apart Ltd.Movable Type Premium9.0.7 and earlieraffected
Six Apart Ltd.Movable Type Premium2.15 and earlier (included in Movable Type 8.8.4 and earlier or Movable Type 8.0.11 and earlier)affected
Six Apart Ltd.Movable Type Premium (Advanced Edition)9.1.1 and earlieraffected
Six Apart Ltd.Movable Type Premium (Advanced Edition)9.0.7 and earlieraffected
Six Apart Ltd.Movable Type Premium (Advanced Edition)2.15 and earlier (included in Movable Type 8.8.4 and earlier or Movable Type 8.0.11 and earlier)affected

Weaknesses

  • CWE-862: Missing authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References