File Upload Vulnerability in Movable Type by Six Apart
CVE-2026-23704

5.1MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type (software Edition); Movable Type Advanced (software Edition); Movable Type Premium (software Edition); Movable Type Premium (advanced Edition) (software Edition)
Vendor: CVE Published:; 4 February 2026

🔔 Create Six Apart Ltd. Vulnerability Alert

What is CVE-2026-23704?

A vulnerability exists in Movable Type that allows non-administrative users to upload malicious files. If these files are accessed by an administrator or other privileged users, it can result in the execution of arbitrary scripts in the administrator's browser. This vulnerability notably affects both the End-of-Life (EOL) 7 series and 8.4 series of Movable Type products, posing a significant risk for users still utilizing these versions.

Affected Version(s)

Movable Type (Cloud Edition) 9.0.5 (9 series)

Movable Type (Cloud Edition) 8.8.1 (8 series)

Movable Type (Software Edition) 9.0.4 to 9.0.5 (9.0 series)

References

https://movabletype.org/news/2026/02/mt-906-released.html

https://www.sixapart.jp/movabletype/news/2026/02/04-1100....

https://jvn.jp/en/jp/JVN45405689/

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 4, 2026
Vulnerability Reserved
Jan 29, 2026

CVE-2026-23704 Data

JSON