Description
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.
Published: 2026-04-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection allowing arbitrary SQL execution
Action: Apply Patch
AI Analysis

Impact

Movable Type, a content management system from Six Apart Ltd., contains an SQL injection flaw. The vulnerability permits attackers to execute arbitrary SQL statements against the application’s database, potentially exposing, modifying, or deleting sensitive data and compromising the integrity of stored information.

Affected Systems

All editions of Movable Type released by Six Apart Ltd—standard, Advanced, Premium, Premium Advanced Edition and the MT8‑based Premium build—are affected. No specific product versions are listed; therefore any publicly accessible installation may be vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, while no EPSS score or CISA KEV listing is available. The advisory does not state authentication requirements, so it is inferred that the injection can be triggered via web input, implying a remote attack vector over the public network. If the database credentials used by Movable Type possess high privileges, exploitation could lead to full data compromise.

Generated by OpenCVE AI on April 8, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Six Apart has released a patch that addresses this SQL injection vulnerability and apply it immediately.
  • If a patch is unavailable, limit the database account used by Movable Type to the minimal privileges required for normal operation.
  • Deploy input validation or a web application firewall rule set to block common SQL injection patterns.

Generated by OpenCVE AI on April 8, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Sixapart
Sixapart movable Type
CPEs cpe:2.3:a:sixapart:movable_type:*:*:*:*:advanced:*:*:*
cpe:2.3:a:sixapart:movable_type:*:*:*:*:premium_advanced:*:*:*
cpe:2.3:a:sixapart:movable_type:9.0.5:*:*:*:premium_advanced:*:*:*
cpe:2.3:a:sixapart:movable_type:9.0.6:*:*:*:premium_advanced:*:*:*
cpe:2.3:a:sixapart:movable_type:9.1.0:*:*:*:advanced:*:*:*
cpe:2.3:a:sixapart:movable_type:9.1.0:*:*:*:premium_advanced:*:*:*
Vendors & Products Sixapart
Sixapart movable Type
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Six Apart
Six Apart movable Type
Six Apart movable Type Premium (mt8-based)
Six Apart movable Type Premium Advanced Edition
Vendors & Products Six Apart
Six Apart movable Type
Six Apart movable Type Premium (mt8-based)
Six Apart movable Type Premium Advanced Edition

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title SQL Injection in Movable Type Enables Arbitrary Database Access

Wed, 08 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.
Weaknesses CWE-89
References
Metrics cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Six Apart Movable Type Movable Type Premium (mt8-based) Movable Type Premium Advanced Edition
Sixapart Movable Type
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-04-08T13:31:08.213Z

Reserved: 2026-03-26T01:06:13.982Z

Link: CVE-2026-33088

cve-icon Vulnrichment

Updated: 2026-04-08T13:31:04.830Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T09:16:21.213

Modified: 2026-04-20T17:20:18.047

Link: CVE-2026-33088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:21:56Z

Weaknesses