Skip to main content

Movable Type CVE-2026-25776

| EUVDEUVD-2026-20132 CRITICAL
Code Injection (CWE-94)
2026-04-08 vultures@jpcert.or.jp GHSA-mx97-3vf8-2r7p
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 17:52 vuln.today
cvss_changed
EUVD ID Assigned
Apr 08, 2026 - 09:22 euvd
EUVD-2026-20132
Analysis Generated
Apr 08, 2026 - 09:22 vuln.today
CVE Published
Apr 08, 2026 - 09:16 nvd
CRITICAL 9.3

DescriptionCVE.org

Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.

AnalysisAI

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.

Technical ContextAI

Movable Type is a Perl-based content management system and blogging platform developed by Six Apart Ltd. This vulnerability represents a CWE-94 code injection flaw, where insufficient input validation or sanitization allows attackers to inject and execute arbitrary Perl code within the application context. Code injection vulnerabilities differ from command injection by allowing execution of code in the application's own runtime environment rather than external system commands. In Perl applications, this typically occurs when user-controlled input is passed to dangerous functions like eval() or similar constructs without proper validation. The vulnerability affects the core CMS platform, potentially impacting all functionality running within the Movable Type installation including content management, template processing, and administrative functions.

RemediationAI

Immediately upgrade to Movable Type version 9.0.7 or later as documented in the vendor security release at https://movabletype.org/news/2026/04/mt-907-released.html and https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html. The vendor-released patch in MT 9.0.7 addresses the underlying code injection vulnerability. Given the unauthenticated remote exploitation vector and critical CVSS score, prioritize emergency patching for all internet-facing installations. If immediate patching is not feasible, consider temporary mitigation by restricting network access to Movable Type administrative interfaces through IP allowlisting or placing the application behind VPN until patching can be completed. Review application logs for suspicious Perl execution patterns or unexpected administrative actions that could indicate reconnaissance or exploitation attempts. No workarounds are documented as substitutes for patching.

CVE-2015-1592 HIGH POC
7.5 Feb 19

Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use

CVE-2013-0209 HIGH POC
7.5 Jan 23

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for reque

CVE-2021-20837 CRITICAL POC
9.8 Oct 26

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab

CVE-2016-5742 CRITICAL
9.8 Jan 23

SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before

CVE-2022-38078 CRITICAL
9.8 Aug 24

Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2012-1503 MEDIUM POC
4.3 Aug 29

Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote a

CVE-2020-5577 HIGH
8.8 May 14

Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1)

CVE-2020-5576 HIGH
8.8 May 14

Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movab

CVE-2013-2184 HIGH
7.5 Mar 27

Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute ar

CVE-2012-0320 HIGH
7.5 Mar 03

Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via

CVE-2014-9057 HIGH
7.5 Dec 16

SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.

CVE-2022-43660 HIGH
7.2 Dec 07

Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authentic

Share

CVE-2026-25776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy