Six Apart Movable Type
Moderate fix5 remedies
cpe:2.3:a:sixapart:movable_type:*:*:*:*:*:*:*, +2 more
Moderate fix5 remedies
- >= 9.0.4, <= 9.0.5
- >= 8.8.0, <= 8.8.1
- >= 8.0.2, <= 8.0.8
- 7
- 8.4
Movable Type Stored Cross-Site Scripting Vulnerability in Comment Editing
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in Movable Type, affecting versions 9.0.4 to 9.0.5, 8.8.0 to 8.8.1, 8.0.2 to 8.0.8, and 2.13 and earlier of Movable Type Premium. Additionally, Movable Type 7 series and 8.4 series, which are End-of-Life, are also affected. This vulnerability allows an attacker to inject crafted input that is stored and later executed as arbitrary script in the web browser of a logged-in user.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's browser.
Remediation
Users can update to Movable Type versions 9.0.6, 8.8.2, or 8.0.9. Movable Type Premium users should update to version 9.1.0 or 2.14. For those using Movable Type Cloud Edition, version 9.1.0 or 8.8.2 is available. Instructions for updating are available on the Movable Type documentation site.
Added: Feb 4, 2026, 7:21 AM
Updated: Feb 4, 2026, 7:21 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
1.7exploitability
4.8remediation
7.7relevance
2.6threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.