Code Injection Vulnerability in Movable Type by Six Apart Ltd.
CVE-2026-25776

9.3CRITICAL

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type; Movable Type Advanced; Movable Type Premium; Movable Type Premium Advanced Edition
Vendor: CVE Published:; 8 April 2026

🔔 Create Six Apart Ltd. Vulnerability Alert

What is CVE-2026-25776?

A security vulnerability in Movable Type by Six Apart Ltd. exposes users to potential code injection attacks. This issue could enable an attacker to execute arbitrary Perl scripts, posing serious risks to the integrity and confidentiality of the system. Users are advised to review and update their Movable Type installations promptly to safeguard against exploitation.

Affected Version(s)

Movable Type 9.1.0 and earlier

Movable Type 9.0.6 and earlier

Movable Type 8.8.2 and earlier

References

https://movabletype.org/news/2026/04/mt-907-released.html

https://www.sixapart.jp/movabletype/news/2026/04/08-1100....

https://jvn.jp/en/jp/JVN66473735/

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-25776 Data

JSON