Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.
AnalysisAI
SQL injection in Movable Type allows unauthenticated remote attackers to execute arbitrary SQL statements through unvalidated input, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects Movable Type versions prior to 9.07 with a CVSS score of 6.9 (medium-high severity); exploitation requires only network access and no user interaction, making it broadly exploitable despite limited scope of confidentiality and integrity impact.
Technical ContextAI
Movable Type is a content management system and publishing platform developed by Six Apart Ltd. The vulnerability stems from CWE-89 (SQL Injection), a class of input validation failure where user-controlled data is improperly sanitized before inclusion in SQL queries. The affected component fails to properly parameterize or escape database input, allowing attackers to inject arbitrary SQL commands. This is a classic application-level flaw where dynamic query construction without bound parameters or adequate input filtering enables direct database manipulation.
RemediationAI
Vendor-released patch: Movable Type 9.07 or later. All users running Movable Type versions prior to 9.07 should immediately upgrade to version 9.07 to remediate the SQL injection vulnerability. Detailed patch information and upgrade instructions are available in the official vendor advisories at https://movabletype.org/news/2026/04/mt-907-released.html and https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html. As a defense-in-depth measure during transition, restrict network access to Movable Type administrative interfaces and monitor database query logs for suspicious SQL patterns.
More in Movable Type
View allMovable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for reque
Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab
SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before
Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote a
Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical
Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1)
Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movab
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute ar
Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via
SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20133