CVE-2026-21393
Unknown Unknown - Not Provided
Stored XSS in Movable Type Edit Comment Allows Script Execution

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: JPCERT/CC

Description
Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21393
EUVD
EUVD-2026-5437
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
six_apart movable_type 9.1.0
six_apart movable_type 9.0.6
six_apart movable_type 8.8.2
six_apart movable_type 8.0.9
six_apart movable_type_premium 9.1.0
six_apart movable_type_premium 2.14
six_apart movable_type 8.0.2
six_apart movable_type 9.0.5
six_apart movable_type_premium 9.0.4
six_apart movable_type_premium 2.13
six_apart movable_type_cloud 9.0.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21393 is a stored cross-site scripting (XSS) vulnerability found in Movable Type software, specifically in the Edit Comment and theme listing screens.

This vulnerability allows an attacker to inject malicious scripts via crafted input that gets stored and later executed in the web browsers of logged-in users when they access the affected interfaces.

The issue affects multiple versions including end-of-life versions 7.x and 8.4.x. The vulnerability is fixed by implementing input sanitization and validation to prevent script injection.

Impact Analysis

This vulnerability can lead to arbitrary script execution in the browsers of logged-in users of Movable Type, potentially compromising user sessions and site integrity.

An attacker could exploit this to perform actions on behalf of users, steal sensitive information, or manipulate the website content.

Because the malicious script is stored and executed when users interact with the comment editing or theme listing screens, it poses a persistent threat to the affected web application.

Mitigation Strategies

To mitigate CVE-2026-21393, users should immediately update Movable Type to the latest fixed versions provided by Six Apart Ltd. These versions include Movable Type Software Edition 9.0.6, 8.8.2, and 8.0.9; Movable Type Premium 9.1.0 and 2.14; and Movable Type Cloud Edition 9.1.0 and 8.8.2.

The update addresses the stored cross-site scripting vulnerability by implementing input sanitization and validation in the comment editing and theme listing screens.

Users of End-of-Life versions such as Movable Type 7.x and 8.4.x are strongly recommended to upgrade due to continued exposure to this vulnerability.

It is also recommended to back up databases before applying updates and to perform installations in separate directories rather than overwriting existing installations.

Compliance Impact

The provided information does not explicitly address how CVE-2026-21393 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart