[Japanese]

JVNDB-2026-000020

Multiple vulnerabilities in Movable Type

Overview

Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below.
  • Stored cross-site scripting vulnerability in Edit Comment (CWE-79) - CVE-2026-21393
  • Stored cross-site scripting vulnerability in Export Sites (CWE-79) - CVE-2026-22875
  • Unrestricted upload of file with dangerous type (CWE-434) - CVE-2026-23704
  • Improper neutralization of formula elements in a CSV file (CWE-1236) - CVE-2026-24447
CVE-2026-21393, CVE-2026-22875
Kentaro Ishii of GMO Cybersecurity by Ierae, Inc. reported these vulnerabilities to IPA.

CVE-2026-23704, CVE-2026-24447
Six Apart Ltd. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.

JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
The above CVSS base scores have been assigned for CVE-2026-23704

CVSS v3 Severity
Base Metrics: 5.4(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : Low
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2026-21393

CVSS v3 Severity
Base Metrics: 5.4(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : Low
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : None
The above CVSS base scores have been assigned for CVE-2026-22875

CVSS v3 Severity
Base Metrics: 6.5(Medium) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : Low
  • User Interaction : Required
  • Scope : Changed
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : Low
The above CVSS base scores have been assigned for CVE-2026-24447
Affected Products


Six Apart, Ltd.
  • Movable Type Software Edition 9.0.4 to 9.0.5 (9.0 series)
  • Movable Type Software Edition 8.8.0 to 8.8.1 (8.8 series)
  • Movable Type Software Edition 8.0.2 to 8.0.8 (8.0 series)
  • Movable Type Cloud Edition 9.0.5 (9 series)
  • Movable Type Cloud Edition 8.8.1 (8 series)
  • Movable Type Advanced Software Edition 9.0.4 to 9.0.5 (9.0 series)
  • Movable Type Advanced Software Edition 8.8.0 to 8.8.1 (8.8 series)
  • Movable Type Advanced Software Edition 8.0.2 to 8.0.8 (8.0 series)
  • Movable Type Premium Software Edition 9.0.4 (MTP 9.0 series)
  • Movable Type Premium Software Edition 2.13 and earlier (MTP 2 series)
  • Movable Type Premium Cloud Edition 9.0.5 (9 series)
  • Movable Type Premium Cloud Edition 2.12 (MTP 2 series)
  • Movable Type Premium (Advanced Edition) Software Edition 9.0.4 (MTP 9.0 series)
  • Movable Type Premium (Advanced Edition) Software Edition 2.13 and earlier (MTP 2 series)

According to the developer, 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerabilities as well.
Impact

  • An arbitrary script may be executed on a logged-in user's web browser (CVE-2026-21393, CVE-2026-22875)
  • If an administrator of the product accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the administrator's browser (CVE-2026-23704)
  • If a malformed data is input to the affected product, a victim user may download a CSV file containing such malformed data, and the embedded code may be executed when the CSV file is opened in the user's environment (CVE-2026-24447)
Solution

[Update the Software]
Update the affected product to the latest version according to the information provided by the developer.
The developer has released the following updates that contain fixes for these vulnerabilities.

Movable Type Software Edition
  • Movable Type / Movable Type Advanced
    • 9.0.6 (9.0 series)
    • 8.8.2 (8.8 series)
    • 8.0.9 (8.0 series)
  • Movable Type Premium / Movable Type Premium (Advanced Edition)
    • 9.1.0 (MTP 9.0 series)
    • 2.14 (MTP 2 series)
Movable Type Cloud Edition
  • Movable Type
    • 9.1.0 (9.0 series)
    • 8.8.2 (8.8 series)
  • Movable Type Premium
    • 9.1.0 (9.0 series)
    • 2.14 (MTP 2 series)
For more details, refer to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-21393
  2. CVE-2026-22875
  3. CVE-2026-23704
  4. CVE-2026-24447
References

  1. JVN : JVN#45405689
Revision History

  • [2026/02/04]
      Web page was published

Date Public2026/02/04
Date First Published2026/02/04
Date Last Updated2026/02/04