Stored Cross-Site Scripting Vulnerability in Movable Type by Six Apart
CVE-2026-21393

4.8MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type (software Edition); Movable Type Advanced (software Edition); Movable Type Premium (software Edition); Movable Type Premium (advanced Edition) (software Edition)
Vendor: CVE Published:; 4 February 2026

🔔 Create Six Apart Ltd. Vulnerability Alert

What is CVE-2026-21393?

Movable Type is impacted by a stored cross-site scripting vulnerability found in the Edit Comment functionality. If an attacker inputs crafted data, it can be stored and later executed as arbitrary script in the web browsers of users who are logged in. This vulnerability is particularly concerning for users of the Movable Type 7 and 8.4 series, which are noted as End-of-Life (EOL), leaving them open to exploitation.

Affected Version(s)

Movable Type (Cloud Edition) 9.0.5 (9 series)

Movable Type (Cloud Edition) 8.8.1 (8 series)

Movable Type (Software Edition) 9.0.4 to 9.0.5 (9.0 series)

References

https://movabletype.org/news/2026/02/mt-906-released.html

https://www.sixapart.jp/movabletype/news/2026/02/04-1100....

https://jvn.jp/en/jp/JVN45405689/

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 4, 2026
Vulnerability Reserved
Jan 29, 2026

CVE-2026-21393 Data

JSON