CVE-2026-23704 PUBLISHED

Assigner: jpcert
Reserved: 29.01.2026 Published: 04.02.2026 Updated: 04.02.2026

A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
CVSS Score: 5.1

Product Status

Vendor Six Apart Ltd.
Product Movable Type (Software Edition)
Versions
  • Version 9.0.4 to 9.0.5 (9.0 series) is affected
  • Version 8.8.0 to 8.8.1 (8.8 series) is affected
  • Version 8.0.2 to 8.0.8 (8.0 series) is affected
Vendor Six Apart Ltd.
Product Movable Type Advanced (Software Edition)
Versions
  • Version 9.0.4 to 9.0.5 (9.0 series) is affected
  • Version 8.8.0 to 8.8.1 (8.8 series) is affected
  • Version 8.0.2 to 8.0.8 (8.0 series) is affected
Vendor Six Apart Ltd.
Product Movable Type Premium (Software Edition)
Versions
  • Version 9.0.4 (MTP 9.0 series) is affected
  • Version 2.13 and earlier (MTP 2 series) is affected
Vendor Six Apart Ltd.
Product Movable Type Premium (Advanced Edition) (Software Edition)
Versions
  • Version 9.0.4 (MTP 9.0 series) is affected
  • Version 2.13 and earlier (MTP 2 series) is affected
Vendor Six Apart Ltd.
Product Movable Type (Cloud Edition)
Versions
  • Version 9.0.5 (9 series) is affected
  • Version 8.8.1 (8 series) is affected
Vendor Six Apart Ltd.
Product Movable Type Premium (Cloud Edition)
Versions
  • Version 9.0.5 (9 series) is affected
  • Version 2.12 (MTP 2 series) is affected

References

Problem Types