CVE-2026-21393
Stored XSS in Movable Type Edit Comment Allows Script Execution
Publication date: 2026-02-04
Last updated on: 2026-02-04
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| six_apart | movable_type | 9.1.0 |
| six_apart | movable_type | 9.0.6 |
| six_apart | movable_type | 8.8.2 |
| six_apart | movable_type | 8.0.9 |
| six_apart | movable_type_premium | 9.1.0 |
| six_apart | movable_type_premium | 2.14 |
| six_apart | movable_type | 8.0.2 |
| six_apart | movable_type | 9.0.5 |
| six_apart | movable_type_premium | 9.0.4 |
| six_apart | movable_type_premium | 2.13 |
| six_apart | movable_type_cloud | 9.0.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21393 is a stored cross-site scripting (XSS) vulnerability found in Movable Type software, specifically in the Edit Comment and theme listing screens.
This vulnerability allows an attacker to inject malicious scripts via crafted input that gets stored and later executed in the web browsers of logged-in users when they access the affected interfaces.
The issue affects multiple versions including end-of-life versions 7.x and 8.4.x. The vulnerability is fixed by implementing input sanitization and validation to prevent script injection.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary script execution in the browsers of logged-in users of Movable Type, potentially compromising user sessions and site integrity.
An attacker could exploit this to perform actions on behalf of users, steal sensitive information, or manipulate the website content.
Because the malicious script is stored and executed when users interact with the comment editing or theme listing screens, it poses a persistent threat to the affected web application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-21393, users should immediately update Movable Type to the latest fixed versions provided by Six Apart Ltd. These versions include Movable Type Software Edition 9.0.6, 8.8.2, and 8.0.9; Movable Type Premium 9.1.0 and 2.14; and Movable Type Cloud Edition 9.1.0 and 8.8.2.
The update addresses the stored cross-site scripting vulnerability by implementing input sanitization and validation in the comment editing and theme listing screens.
Users of End-of-Life versions such as Movable Type 7.x and 8.4.x are strongly recommended to upgrade due to continued exposure to this vulnerability.
It is also recommended to back up databases before applying updates and to perform installations in separate directories rather than overwriting existing installations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how CVE-2026-21393 affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know