Six Apart Movable Type
Moderate fix5 remedies
cpe:2.3:a:sixapart:movable_type:*:*:*:*:*:*:*, +2 more
Moderate fix5 remedies
- >= 9.0.4, <= 9.0.5
- >= 8.8.0, <= 8.8.1
- >= 8.0.2, <= 8.0.8
- 9.0.4
- ~7
- ~8.4
Movable Type Unrestricted File Upload Vulnerability Allowing Cross-Site Scripting
Vulnerability
Patched
A vulnerability exists in Movable Type versions 9.0.4 to 9.0.5, 8.8.0 to 8.8.1, 8.0.2 to 8.0.8, as well as in Movable Type Premium versions 2.13 and earlier. This vulnerability allows non-administrative users to upload malicious files. When an administrator accesses these files, it can lead to the execution of arbitrary scripts in the administrator's browser. Additionally, Movable Type 7 series and 8.4 series, which are End-of-Life, are also affected.
Impact
Exploitation of this vulnerability could result in the execution of arbitrary scripts in the browser of an administrator who accesses the uploaded malicious file.
Remediation
Users are advised to update to Movable Type versions 9.0.6, 8.8.2, or 8.0.9. Movable Type Premium users should update to version 9.1.0 or 2.14. For more details, refer to the Movable Type release notes.
Added: Feb 4, 2026, 7:19 AM
Updated: Feb 4, 2026, 7:19 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.4exploitability
5.0remediation
7.7relevance
2.5threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.