[Japanese]

JVNDB-2026-000050

Multiple vulnerabilities in Movable Type

Overview

The Listing Framework of Movable Type provided by Six Apart Ltd. contains multiple vulnerabilities listed below.
  • Code injection (CWE-94) - CVE-2026-25776
  • SQL injection (CWE-89) - CVE-2026-33088
CVE-2026-25776
Sho Odagiri of GMO Cybersecurity by Ierae, Inc. reported this vulnerability to Six Apart Ltd. and coordinated. After the coordination was completed, Six Apart Ltd. reported the case to JPCERT/CC to notify users of the solution through JVN.

CVE-2026-33088
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS v4 Severity
Base Metrics: 9.3 (Critical) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): High
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-25776

CVSS v3 Severity
Base Metrics: 7.3(High) [IPA Score]
  • Access Vector : Network
  • Attack Complexity : Low
  • Privileges Required : None
  • User Interaction : None
  • Scope : Unchanged
  • Confidentiality Impact : Low
  • Integrity Impact : Low
  • Availability Impact : Low
CVSS v4 Severity
Base Metrics: 6.9 (Medium) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): None
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): Low
  • Integrity Impact (VI): Low
  • Availability Impact (VA): Low
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
The above CVSS base scores have been assigned for CVE-2026-33088
Affected Products


Six Apart, Ltd.
  • Movable Type 9.1.0 and earlier (9.1 series)
  • Movable Type 9.0.6 and earlier (9.0 series)
  • Movable Type 8.8.2 and earlier (8.8 series)
  • Movable Type 8.0.9 and earlier (8.0 series)
  • Movable Type Advanced 9.1.0 and earlier (9.1 series)
  • Movable Type Advanced 9.0.6 and earlier (9.0 series)
  • Movable Type Advanced 8.8.2 and earlier (8.8 series)
  • Movable Type Advanced 8.0.9 and earlier (8.0 series)
  • Movable Type Premium 9.1.0 and earlier (9.1 series)
  • Movable Type Premium 9.0.6 and earlier (9.0 series)
  • Movable Type Premium 2.14 and earlier
  • Movable Type Premium (Advanced Edition) 9.1.0 and earlier (9.1 series)
  • Movable Type Premium (Advanced Edition) 9.0.6 and earlier (9.0 series)
  • Movable Type Premium (Advanced Edition) 2.14 and earlier
  • Movable Type Premium MT8-based 2.14 and earlier

The vulnerabilities affect Movable Type instances where the Listing Framework is enabled in the administrative console or where the Data API is available. Therefore, the following end-of-support products are also affected.
  • Movable Type 5.1 to 5.18 (all 5.1 series)
  • Movable Type 5.2, 5.2.1 to 5.2.13 (all 5.2 series)
  • Movable Type 6.0, 6.0.1 to 6.8.8 (all 6 series)
  • Movable Type 7 r.4207 to r.5510 (all 7 series)
  • Movable Type 8.4.0 to 8.4.4 (all 8.4 series)
  • Movable Type Premium 1.0 to 1.68 (all MTP 1 series)​
Impact

  • An attacker could execute arbitrary Perl script (CVE-2026-25776)
  • An attacker could execute an arbitrary SQL statement (CVE-2026-33088)
Solution

[Update the Software]
Update the affected product to the latest version according to the information provided by the developer.
The developer has released the following updates that contain fixes for the vulnerabilities.
  • Movable Type
    • 9.1.1 (for cloud version)
    • 9.0.7
    • 8.8.3
    • 8.0.10
  • Movable Type Premium
    • 9.1.1 / 9.0.7
    • 2.15

[Apply workaround]
Attacks via the Data API can be mitigated by disabling its use through the following measures:
  • Delete mt-data-api.cgi (for CGI environments)
  • Set data_api in the Movable Type environment variable RestrictedPSGIApp (for PSGI, MT 6.2 and later)
  • Set an unguessable string in the Movable Type environment variable DataAPIScript (for MT 6.0, 6.1)
For more details, refer to the information provided by the developer.
Vendor Information

Six Apart, Ltd.
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
  2. Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-25776
  2. CVE-2026-33088
References

  1. JVN : JVN#66473735
Revision History

  • [2026/04/08]
      Web page was published

Date Public2026/04/08
Date First Published2026/04/08
Date Last Updated2026/04/08