Skip to main content

Movable Type EUVDEUVD-2026-20133

| CVE-2026-33088 MEDIUM
SQL Injection (CWE-89)
2026-04-08 vultures@jpcert.or.jp
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 09:22 euvd
EUVD-2026-20133
Analysis Generated
Apr 08, 2026 - 09:22 vuln.today
CVE Published
Apr 08, 2026 - 09:16 nvd
MEDIUM 6.9

DescriptionCVE.org

Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement.

AnalysisAI

SQL injection in Movable Type allows unauthenticated remote attackers to execute arbitrary SQL statements through unvalidated input, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects Movable Type versions prior to 9.07 with a CVSS score of 6.9 (medium-high severity); exploitation requires only network access and no user interaction, making it broadly exploitable despite limited scope of confidentiality and integrity impact.

Technical ContextAI

Movable Type is a content management system and publishing platform developed by Six Apart Ltd. The vulnerability stems from CWE-89 (SQL Injection), a class of input validation failure where user-controlled data is improperly sanitized before inclusion in SQL queries. The affected component fails to properly parameterize or escape database input, allowing attackers to inject arbitrary SQL commands. This is a classic application-level flaw where dynamic query construction without bound parameters or adequate input filtering enables direct database manipulation.

RemediationAI

Vendor-released patch: Movable Type 9.07 or later. All users running Movable Type versions prior to 9.07 should immediately upgrade to version 9.07 to remediate the SQL injection vulnerability. Detailed patch information and upgrade instructions are available in the official vendor advisories at https://movabletype.org/news/2026/04/mt-907-released.html and https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html. As a defense-in-depth measure during transition, restrict network access to Movable Type administrative interfaces and monitor database query logs for suspicious SQL patterns.

CVE-2015-1592 HIGH POC
7.5 Feb 19

Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use

CVE-2013-0209 HIGH POC
7.5 Jan 23

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for reque

CVE-2021-20837 CRITICAL POC
9.8 Oct 26

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movab

CVE-2016-5742 CRITICAL
9.8 Jan 23

SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before

CVE-2022-38078 CRITICAL
9.8 Aug 24

Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2012-1503 MEDIUM POC
4.3 Aug 29

Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote a

CVE-2026-25776 CRITICAL
9.3 Apr 08

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical

CVE-2020-5577 HIGH
8.8 May 14

Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1)

CVE-2020-5576 HIGH
8.8 May 14

Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movab

CVE-2013-2184 HIGH
7.5 Mar 27

Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute ar

CVE-2012-0320 HIGH
7.5 Mar 03

Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via

CVE-2014-9057 HIGH
7.5 Dec 16

SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.

Share

EUVD-2026-20133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy