SQL Injection Vulnerability in Movable Type by Six Apart Ltd.
CVE-2026-33088

6.9MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type; Movable Type Advanced; Movable Type Premium; Movable Type Premium Advanced Edition
Vendor: CVE Published:; 8 April 2026

🔔 Create Six Apart Ltd. Vulnerability Alert

What is CVE-2026-33088?

Movable Type, developed by Six Apart Ltd., is susceptible to an SQL Injection vulnerability that could allow an attacker to manipulate SQL queries by injecting malicious code. This weakness may lead to unauthorized data access or data manipulation, posing significant risks to web application security. Users and administrators of affected Movable Type versions should prioritize patching to safeguard their systems against exploitation.

Affected Version(s)

Movable Type 9.1.0 and earlier

Movable Type 9.0.6 and earlier

Movable Type 8.8.2 and earlier

References

https://movabletype.org/news/2026/04/mt-907-released.html

https://www.sixapart.jp/movabletype/news/2026/04/08-1100....

https://jvn.jp/en/jp/JVN66473735/

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

CVSS V3.0

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-33088 Data

JSON