CVE-2025-62499
Description
Movable Type contains a stored cross-site scripting vulnerability in Edit CategorySet of ContentType page. If crafted input is stored by an attacker with "ContentType Management" privilege, an arbitrary script may be executed on the web browser of the user who accesses Edit CategorySet of ContentType page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Movable Type's Edit CategorySet allows attackers with ContentType Management privilege to execute arbitrary scripts.
Vulnerability
CVE-2025-62499 is a stored cross-site scripting (XSS) vulnerability in the Edit CategorySet of the ContentType page in Movable Type. The flaw arises from insufficient sanitization of user-supplied input when storing category set data [2].
Exploitation
An attacker must have the "ContentType Management" privilege to store malicious input. When a privileged user accesses the Edit CategorySet page, the crafted script executes in the context of their browser, requiring no additional user interaction beyond viewing the page [2].
Impact
Successful exploitation allows arbitrary script execution within the victim's browser session, potentially leading to data theft, session hijacking, or unauthorized actions on behalf of the victim. The vulnerability has a CVSS v3 base score of 4.8 (Medium) [2].
Mitigation
Six Apart has released patched versions: Movable Type 8.8.0, 8.4.4, 8.0.8, 7 r.5510, and corresponding Premium versions 2.11 and 1.68 [1][3]. Users should upgrade immediately. Note that Movable Type 7 reaches end-of-life on November 1, 2025, and 8.4.x on November 22, 2025 [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 8.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.