Home
MEDIUM: 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:LMEDIUM: 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
affected
8.8.0 to 8.8.1 (8.8 series)
affected
8.0.2 to 8.0.8 (8.0 series)
affected
affected
8.8.0 to 8.8.1 (8.8 series)
affected
8.0.2 to 8.0.8 (8.0 series)
affected
affected
2.13 and earlier (MTP 2 series)
affected
affected
2.13 and earlier (MTP 2 series)
affected
affected
8.8.1 (8 series)
affected
affected
2.12 (MTP 2 series)
affected
Description
A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Problem types
Unrestricted upload of file with dangerous type
Product status
8.8.0 to 8.8.1 (8.8 series)
8.0.2 to 8.0.8 (8.0 series)
8.8.0 to 8.8.1 (8.8 series)
8.0.2 to 8.0.8 (8.0 series)
2.13 and earlier (MTP 2 series)
2.13 and earlier (MTP 2 series)
8.8.1 (8 series)
2.12 (MTP 2 series)
References
movabletype.org/news/2026/02/mt-906-released.html
www.sixapart.jp/movabletype/news/2026/02/04-1100.html