Export Sites. If CVE-2026-22875
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
AnalysisAI
Stored XSS in Movable Type's Export Sites feature allows authenticated attackers to inject malicious scripts that execute in the browsers of logged-in users. The vulnerability affects Movable Type 7 and 8.4 series (both EOL) and requires an attacker to first store the crafted payload through the application. No patch is currently available for this medium-severity flaw.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Affected ProductsAI
Movable Type contains a stored cross-site scripting vulnerability in Export Sites
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today