Home
MEDIUM: 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NMEDIUM: 4.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
affected
8.8.0 to 8.8.1 (8.8 series)
affected
8.0.2 to 8.0.8 (8.0 series)
affected
affected
8.8.0 to 8.8.1 (8.8 series)
affected
8.0.2 to 8.0.8 (8.0 series)
affected
affected
2.13 and earlier (MTP 2 series)
affected
affected
2.13 and earlier (MTP 2 series)
affected
affected
8.8.1 (8 series)
affected
affected
2.12 (MTP 2 series)
affected
Description
Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Problem types
Product status
8.8.0 to 8.8.1 (8.8 series)
8.0.2 to 8.0.8 (8.0 series)
8.8.0 to 8.8.1 (8.8 series)
8.0.2 to 8.0.8 (8.0 series)
2.13 and earlier (MTP 2 series)
2.13 and earlier (MTP 2 series)
8.8.1 (8 series)
2.12 (MTP 2 series)
References
movabletype.org/news/2026/02/mt-906-released.html
www.sixapart.jp/movabletype/news/2026/02/04-1100.html