Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.
AnalysisAI
Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.
Technical ContextAI
Movable Type is a Perl-based content management system and blogging platform developed by Six Apart Ltd. This vulnerability represents a CWE-94 code injection flaw, where insufficient input validation or sanitization allows attackers to inject and execute arbitrary Perl code within the application context. Code injection vulnerabilities differ from command injection by allowing execution of code in the application's own runtime environment rather than external system commands. In Perl applications, this typically occurs when user-controlled input is passed to dangerous functions like eval() or similar constructs without proper validation. The vulnerability affects the core CMS platform, potentially impacting all functionality running within the Movable Type installation including content management, template processing, and administrative functions.
RemediationAI
Immediately upgrade to Movable Type version 9.0.7 or later as documented in the vendor security release at https://movabletype.org/news/2026/04/mt-907-released.html and https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html. The vendor-released patch in MT 9.0.7 addresses the underlying code injection vulnerability. Given the unauthenticated remote exploitation vector and critical CVSS score, prioritize emergency patching for all internet-facing installations. If immediate patching is not feasible, consider temporary mitigation by restricting network access to Movable Type administrative interfaces through IP allowlisting or placing the application behind VPN until patching can be completed. Review application logs for suspicious Perl execution patterns or unexpected administrative actions that could indicate reconnaissance or exploitation attempts. No workarounds are documented as substitutes for patching.
More in Movable Type
View allMovable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for reque
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab
SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before
Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote a
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1)
Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movab
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute ar
Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via
SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.
Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authentic
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20132
GHSA-mx97-3vf8-2r7p