Skip to main content

Movable Type

35 CVEs product

Monthly

CVE-2026-44392 MEDIUM This Month

Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.

Authentication Bypass Movable Type Movable Type Advanced Movable Type Premium Movable Type Premium Advanced Edition
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-33088 MEDIUM This Month

SQL injection in Movable Type allows unauthenticated remote attackers to execute arbitrary SQL statements through unvalidated input, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects Movable Type versions prior to 9.07 with a CVSS score of 6.9 (medium-high severity); exploitation requires only network access and no user interaction, making it broadly exploitable despite limited scope of confidentiality and integrity impact.

SQLi Movable Type
NVD
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-25776 CRITICAL Act Now

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.

Code Injection RCE Movable Type
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2023-45746 MEDIUM This Month

Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-45122 MEDIUM This Month

Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-45113 MEDIUM This Month

Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Movable Type
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2022-43660 HIGH This Week

Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Command Injection Code Injection Movable Type
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2022-38078 CRITICAL Act Now

Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Code Injection Movable Type
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-20837 CRITICAL POC THREAT Act Now

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Movable Type
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
88.1%
CVE-2021-20815 MEDIUM This Month

Cross-site scripting vulnerability in Edit Boilerplate screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series),. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20814 MEDIUM This Month

Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20813 MEDIUM This Month

Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20812 MEDIUM This Month

Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20811 MEDIUM This Month

Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20810 MEDIUM This Month

Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series),. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20809 MEDIUM This Month

Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20808 MEDIUM This Month

Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2021-20665 MEDIUM This Month

Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type Movable Type Advanced Movable Type Premium Movable Type Premium Advanced
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-20664 MEDIUM This Month

Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type Movable Type Advanced Movable Type Premium Movable Type Premium Advanced
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-20663 MEDIUM This Month

Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type Movable Type Advanced Movable Type Premium Movable Type Premium Advanced
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2020-5577 HIGH This Week

Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP Movable Type
NVD
CVSS 3.1
8.8
EPSS
1.7%
CVE-2020-5576 HIGH This Week

Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Movable Type
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2020-5575 MEDIUM This Month

Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7),. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-5574 MEDIUM This Month

HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Movable Type
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2020-5528 MEDIUM This Month

Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2019-6025 MEDIUM This Month

Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Movable Type
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2018-0672 MEDIUM This Month

Cross-site scripting vulnerability in Movable Type versions prior to Ver. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2016-5742 CRITICAL Act Now

SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Movable Type Movable Type Open Source
NVD VulDB
CVSS 3.0
9.8
EPSS
1.0%
CVE-2013-2184 HIGH This Week

Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Movable Type
NVD
CVSS 2.0
7.5
EPSS
2.3%
CVE-2015-1592 HIGH POC THREAT Act Now

Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.0%.

RCE Debian Linux Movable Type
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
81.0%
Threat
5.4
CVE-2014-9057 HIGH This Week

SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Debian Linux Movable Type
NVD
CVSS 2.0
7.5
EPSS
0.4%
CVE-2012-1503 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Movable Type
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
6.9%
CVE-2013-0209 HIGH POC PATCH THREAT Act Now

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 80.6%.

SQLi Authentication Bypass Movable Type
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
80.6%
Threat
5.4
CVE-2012-0320 HIGH PATCH This Week

Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via unspecified vectors related to the (1) commenting feature and (2) community. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Movable Type
NVD
CVSS 2.0
7.5
EPSS
1.2%
CVE-2012-0317 MEDIUM PATCH This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to hijack the authentication of arbitrary users. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

CSRF Movable Type
NVD
CVSS 2.0
6.8
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in Movable Type allows authenticated non-administrator users to trigger unintended update operations under certain conditions. Affecting Movable Type, Movable Type Advanced, and Movable Type Premium products by Six Apart Ltd., the flaw (CWE-862) permits a low-privileged user to bypass access controls and perform write operations that should be restricted to administrators. No public exploit or CISA KEV listing exists at time of analysis; the vendor released a fix in version 9.0.8 on 2026-05-20 per the Six Apart advisory.

Authentication Bypass Movable Type Movable Type Advanced +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

SQL injection in Movable Type allows unauthenticated remote attackers to execute arbitrary SQL statements through unvalidated input, potentially enabling unauthorized data access, modification, or deletion. The vulnerability affects Movable Type versions prior to 9.07 with a CVSS score of 6.9 (medium-high severity); exploitation requires only network access and no user interaction, making it broadly exploitable despite limited scope of confidentiality and integrity impact.

SQLi Movable Type
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Code injection in Movable Type CMS allows unauthenticated remote attackers to execute arbitrary Perl code with critical impact. The CVSS:4.0 score of 9.3 reflects network-accessible exploitation requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), enabling complete system compromise. No public exploit identified at time of analysis, though EPSS data unavailable. Vendor Six Apart has released patched version MT 9.0.7 addressing this CWE-94 code injection flaw.

Code Injection RCE Movable Type
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Movable Type Movable Type 7 r.5301 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5301 and earlier (Movable Type Advanced 7 Series), Movable Type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Improper validation of syntactic correctness of input vulnerability exist in Movable Type series. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Movable Type
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Improper neutralization of Server-Side Includes (SSW) within a web page in Movable Type series allows a remote authenticated attacker with Privilege of 'Manage of Content Types' may execute an. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Command Injection Code Injection +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

Movable Type XMLRPC API provided by Six Apart Ltd. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Command Injection Code Injection +1
NVD
EPSS 88% CVSS 9.8
CRITICAL POC THREAT Act Now

Movable Type 7 r.5002 and earlier (Movable Type 7 Series), Movable Type 6.8.2 and earlier (Movable Type 6 Series), Movable Type Advanced 7 r.5002 and earlier (Movable Type Advanced 7 Series), Movable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Movable Type
NVD Exploit-DB
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Edit Boilerplate screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series),. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Setting screen of ContentType Information Widget Plugin of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type Advanced 7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Edit screen of Content Data of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series) and Movable Type Advanced 7 r.4903 and earlier (Movable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Setting screen of Server Sync of Movable Type (Movable Type Advanced 7 r.4903 and earlier (Movable Type Advanced 7 Series) and Movable Type Premium Advanced 1.44. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in List of Assets screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Website Management screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series),. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Create screens of Entry, Page, and Content Type of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Search screen of Movable Type (Movable Type 7 r.4903 and earlier (Movable Type 7 Series), Movable Type 6.8.0 and earlier (Movable Type 6 Series), Movable Type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type Movable Type Advanced +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type Movable Type Advanced +2
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type Movable Type Advanced +2
NVD
EPSS 2% CVSS 8.8
HIGH This Week

Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7), Movable Type for AWS 7 r.4606 (7.2.1). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP Movable Type
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Cross-site request forgery (CSRF) vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type Advanced 7),. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

HTML attribute value injection vulnerability in Movable Type series (Movable Type 7 r.4606 (7.2.1) and earlier (Movable Type 7), Movable Type Advanced 7 r.4606 (7.2.1) and earlier (Movable Type. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Movable Type series (Movable Type 7 r.4603 and earlier (Movable Type 7), Movable Type 6.5.2 and earlier (Movable Type 6.5), Movable Type Advanced 7 r.4603 and. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Movable Type
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Cross-site scripting vulnerability in Movable Type versions prior to Ver. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Movable Type
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SQL injection vulnerability in the XML-RPC interface in Movable Type Pro and Advanced 6.x before 6.1.3 and 6.2.x before 6.2.6 and Movable Type Open Source 5.2.13 and earlier allows remote attackers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Movable Type Movable Type Open Source
NVD VulDB
EPSS 2% CVSS 7.5
HIGH This Week

Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Movable Type
NVD
EPSS 81% 5.4 CVSS 7.5
HIGH POC THREAT Act Now

Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 81.0%.

RCE Debian Linux Movable Type
NVD Exploit-DB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection vulnerability in the XML-RPC interface in Movable Type before 5.18, 5.2.x before 5.2.11, and 6.x before 6.0.6 allows remote attackers to execute arbitrary SQL commands via unspecified. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Debian Linux Movable Type
NVD
EPSS 7% CVSS 4.3
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Movable Type
NVD Exploit-DB
EPSS 81% 5.4 CVSS 7.5
HIGH POC PATCH THREAT Act Now

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 80.6%.

SQLi Authentication Bypass Movable Type
NVD Exploit-DB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote attackers to take control of sessions via unspecified vectors related to the (1) commenting feature and (2) community. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Movable Type
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to hijack the authentication of arbitrary users. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

CSRF Movable Type
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy