CVE-2026-21393_CVE-2026-21393

5.4 / 10

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

Basic Information

ID CVE-2026-21393

Source jpcert

Published Feb 4, 2026 at 07:02

Affected Product

Vendor Six Apart Ltd.

Product Movable Type (Software Edition)

Version 9.0.4 to 9.0.5 (9.0 series)

Affected Versions Six Apart Ltd. Movable Type (Software Edition) 9.0.4 to 9.0.5 (9.0 series)
Six Apart Ltd. Movable Type (Software Edition) 8.8.0 to 8.8.1 (8.8 series)
Six Apart Ltd. Movable Type (Software Edition) 8.0.2 to 8.0.8 (8.0 series)
Six Apart Ltd. Movable Type Advanced (Software Edition) 9.0.4 to 9.0.5 (9.0 series)
Six Apart Ltd. Movable Type Advanced (Software Edition) 8.8.0 to 8.8.1 (8.8 series)
Six Apart Ltd. Movable Type Advanced (Software Edition) 8.0.2 to 8.0.8 (8.0 series)
Six Apart Ltd. Movable Type Premium (Software Edition) 9.0.4 (MTP 9.0 series)
Six Apart Ltd. Movable Type Premium (Software Edition) 2.13 and earlier (MTP 2 series)
Six Apart Ltd. Movable Type Premium (Advanced Edition) (Software Edition) 9.0.4 (MTP 9.0 series)
Six Apart Ltd. Movable Type Premium (Advanced Edition) (Software Edition) 2.13 and earlier (MTP 2 series)
Six Apart Ltd. Movable Type (Cloud Edition) 9.0.5 (9 series)
Six Apart Ltd. Movable Type (Cloud Edition) 8.8.1 (8 series)
Six Apart Ltd. Movable Type Premium (Cloud Edition) 9.0.5 (9 series)
Six Apart Ltd. Movable Type Premium (Cloud Edition) 2.12 (MTP 2 series)

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.",
    "published": "2026-02-04T07:02:50.465Z",
    "modified": "2026-02-04T07:02:50.465Z",
    "type": "cve",
    "title": "CVE-2026-21393",
    "source": "jpcert",
    "references": "https://movabletype.org/news/2026/02/mt-906-released.html\nhttps://www.sixapart.jp/movabletype/news/2026/02/04-1100.html\nhttps://jvn.jp/en/jp/JVN45405689/",
    "id": "CVE-2026-21393",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Six Apart Ltd. Movable Type (Software Edition) 9.0.4 to 9.0.5 (9.0 series)\nSix Apart Ltd. Movable Type (Software Edition) 8.8.0 to 8.8.1 (8.8 series)\nSix Apart Ltd. Movable Type (Software Edition) 8.0.2 to 8.0.8 (8.0 series)\nSix Apart Ltd. Movable Type Advanced (Software Edition) 9.0.4 to 9.0.5 (9.0 series)\nSix Apart Ltd. Movable Type Advanced (Software Edition) 8.8.0 to 8.8.1 (8.8 series)\nSix Apart Ltd. Movable Type Advanced (Software Edition) 8.0.2 to 8.0.8 (8.0 series)\nSix Apart Ltd. Movable Type Premium (Software Edition) 9.0.4 (MTP 9.0 series)\nSix Apart Ltd. Movable Type Premium (Software Edition) 2.13 and earlier (MTP 2 series)\nSix Apart Ltd. Movable Type Premium (Advanced Edition) (Software Edition) 9.0.4 (MTP 9.0 series)\nSix Apart Ltd. Movable Type Premium (Advanced Edition) (Software Edition) 2.13 and earlier (MTP 2 series)\nSix Apart Ltd. Movable Type (Cloud Edition) 9.0.5 (9 series)\nSix Apart Ltd. Movable Type (Cloud Edition) 8.8.1 (8 series)\nSix Apart Ltd. Movable Type Premium (Cloud Edition) 9.0.5 (9 series)\nSix Apart Ltd. Movable Type Premium (Cloud Edition) 2.12 (MTP 2 series)",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Movable Type (Software Edition)",
    "version": "9.0.4 to 9.0.5 (9.0 series)",
    "vendor": "Six Apart Ltd.",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}