CVE-2026-21393 - Vulnerability Details

- Stored XSS in Movable Type Comment Editing Allows Script Execution

Description

Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

Published: 2026-02-04

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Movable Type implements a stored cross‑site scripting flaw in the Edit Comment feature. When an attacker supplies crafted input that gets saved, every user who later views the comment while logged in will have that script run in their browser. The vulnerability directly compromises the integrity of the user experience and can be leveraged for malicious activities such as session hijacking or data exfiltration within the scope of the trusted user session.

Affected Systems

All Six Apart Movable Type deployments, including the Cloud Edition, Software Edition, Advanced Edition, and Premium Edition. The flaw is confirmed in the 7 series and 8.4 series releases, which are already End‑of‐Life. Any other current releases are likely affected until a patch is applied, because the underlying edit-comment processing has not been altered.

Risk and Exploitability

The CVSS score of 4.8 reflects a medium severity vulnerability, while the EPSS figure of below 1 % indicates a low likelihood of exploitation at present. The issue is not yet cataloged by CISA’s KEV list. Attackers could exploit the flaw by posting a malicious comment or by injecting script into an existing comment—any logged‑in user who views the comment will have the code executed. No remote code execution beyond the browser context is necessary, but the impact is significant for users with privileged accounts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Six Apart Ltd.

Movable Type (Software Edition)

affected

Version	Status	Constraints
`9.0.4 to 9.0.5 (9.0 series)`	affected	—
`8.8.0 to 8.8.1 (8.8 series)`	affected	—
`8.0.2 to 8.0.8 (8.0 series)`	affected	—

Six Apart Ltd.

Movable Type Advanced (Software Edition)

affected

Version	Status	Constraints
`9.0.4 to 9.0.5 (9.0 series)`	affected	—
`8.8.0 to 8.8.1 (8.8 series)`	affected	—
`8.0.2 to 8.0.8 (8.0 series)`	affected	—

Six Apart Ltd.

Movable Type Premium (Software Edition)

affected

Version	Status	Constraints
`9.0.4 (MTP 9.0 series)`	affected	—
`2.13 and earlier (MTP 2 series)`	affected	—

Six Apart Ltd.

Movable Type Premium (Advanced Edition) (Software Edition)

affected

Version	Status	Constraints
`9.0.4 (MTP 9.0 series)`	affected	—
`2.13 and earlier (MTP 2 series)`	affected	—

Six Apart Ltd.

Movable Type (Cloud Edition)

affected

Version	Status	Constraints
`9.0.5 (9 series)`	affected	—
`8.8.1 (8 series)`	affected	—

Six Apart Ltd.

Movable Type Premium (Cloud Edition)

affected

Version	Status	Constraints
`9.0.5 (9 series)`	affected	—
`2.12 (MTP 2 series)`	affected	—

No data.

Vendor	Product	Confidence	Versions
Six Apart	Movable Type	—	—
Six Apart Ltd	Movable Type	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Movable Type update (MT 906) to remove the vulnerability
If an update cannot be deployed immediately, restrict or disable the comment editing feature for non‑trusted users
Implement server‑side content filtering for edited comments, ensuring all output is properly escaped
Monitor user-generated content for suspicious script payloads and review access logs for any anomalous activity

Generated by OpenCVE AI on April 17, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://jvn.jp/en/jp/JVN45405689/
https://movabletype.org/news/2026/02/mt-906-released.html
https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html

History

Sat, 18 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		Stored XSS in Movable Type Comment Editing Allows Script Execution

Wed, 04 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Six Apart Six Apart movable Type Six Apart Ltd Six Apart Ltd movable Type
Vendors & Products		Six Apart Six Apart movable Type Six Apart Ltd Six Apart Ltd movable Type

Wed, 04 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Weaknesses		CWE-79
References		https://jvn.jp/en/jp/JVN45405689/ https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html
Metrics		cvssV3_0 `{'score': 5.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Subscriptions

Six Apart Movable Type

Six Apart Ltd Movable Type

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2026-02-04T07:02:50.465Z

Updated: 2026-02-04T16:08:26.340Z

Reserved: 2026-01-29T02:02:32.381Z

Link: CVE-2026-21393

Vulnrichment

Updated: 2026-02-04T16:08:22.360Z

NVD

Status : Deferred

Published: 2026-02-04T07:16:01.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-21393

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object