CVE-2026-23704 - Vulnerability Details

- Unrestricted File Upload Enables Client‑Side Script Execution in Movable Type

Description

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

Published: 2026-02-04

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A non‑administrative user can upload any file type, and when an administrator views that file through Movable Type, the browser executes arbitrary script. This enables client‑side code execution that can steal credentials, deface content, or serve as a foothold for further attacks. The weakness is an unrestricted upload of dangerous file types (CWE‑434).

Affected Systems

The flaw affects all editions of Movable Type supplied by Six Apart, including the Cloud Edition, Software Edition, Advanced, and Premium releases. All affected releases are in the 7 series and 8.4 series, which are already end‑of‑life. No specific patch version list is provided, but the vulnerability exists across those series.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.1, indicating a moderate impact if successfully exploited. The EPSS score is below 1 %, suggesting very low but nonzero likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. An attacker needs only a non‑administrator account to upload a malicious file; execution requires that an administrator later accesses the file, which is a predictable action in normal usage. Exploitation does not require elevated privileges on the server, but the impact arises when the administrator’s browser runs the injected script.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Six Apart Ltd.

Movable Type (Software Edition)

affected

Version	Status	Constraints
`9.0.4 to 9.0.5 (9.0 series)`	affected	—
`8.8.0 to 8.8.1 (8.8 series)`	affected	—
`8.0.2 to 8.0.8 (8.0 series)`	affected	—

Six Apart Ltd.

Movable Type Advanced (Software Edition)

affected

Version	Status	Constraints
`9.0.4 to 9.0.5 (9.0 series)`	affected	—
`8.8.0 to 8.8.1 (8.8 series)`	affected	—
`8.0.2 to 8.0.8 (8.0 series)`	affected	—

Six Apart Ltd.

Movable Type Premium (Software Edition)

affected

Version	Status	Constraints
`9.0.4 (MTP 9.0 series)`	affected	—
`2.13 and earlier (MTP 2 series)`	affected	—

Six Apart Ltd.

Movable Type Premium (Advanced Edition) (Software Edition)

affected

Version	Status	Constraints
`9.0.4 (MTP 9.0 series)`	affected	—
`2.13 and earlier (MTP 2 series)`	affected	—

Six Apart Ltd.

Movable Type (Cloud Edition)

affected

Version	Status	Constraints
`9.0.5 (9 series)`	affected	—
`8.8.1 (8 series)`	affected	—

Six Apart Ltd.

Movable Type Premium (Cloud Edition)

affected

Version	Status	Constraints
`9.0.5 (9 series)`	affected	—
`2.12 (MTP 2 series)`	affected	—

No data.

Vendor	Product	Confidence	Versions
Six Apart	Movable Type	—	—
Six Apart Ltd	Movable Type	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest available Movable Type patch that addresses the unrestricted upload issue.
Configure the system to restrict file uploads to administrators only and enforce strict MIME‑type validation, allowing only safe formats such as images or PDFs.
Remove any previously uploaded files that may contain malicious content from the public upload directories and disable direct access to these directories from the web.

Generated by OpenCVE AI on April 18, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://jvn.jp/en/jp/JVN45405689/
https://movabletype.org/news/2026/02/mt-906-released.html
https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html

History

Sat, 18 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title		Unrestricted File Upload Enables Client‑Side Script Execution in Movable Type

Wed, 04 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Six Apart Six Apart movable Type Six Apart Ltd Six Apart Ltd movable Type
Vendors & Products		Six Apart Six Apart movable Type Six Apart Ltd Six Apart Ltd movable Type

Wed, 04 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Weaknesses		CWE-434
References		https://jvn.jp/en/jp/JVN45405689/ https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html
Metrics		cvssV3_0 `{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L'}`

Subscriptions

Six Apart Movable Type

Six Apart Ltd Movable Type

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2026-02-04T07:03:37.889Z

Updated: 2026-02-04T16:07:28.812Z

Reserved: 2026-01-29T02:02:31.425Z

Link: CVE-2026-23704

Vulnrichment

Updated: 2026-02-04T16:07:24.684Z

NVD

Status : Deferred

Published: 2026-02-04T07:16:01.387

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23704

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses

CWE-434

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object