CVE-2026-21393

Vulnerability

Description

Movable Type's Edit Comment functionality is affected by a stored cross-site scripting (XSS) vulnerability (CWE-79) [1][2]. The flaw allows an attacker to store crafted input that, when viewed by a logged-in user, executes arbitrary script in their web browser. The root cause is insufficient sanitization of user-supplied data within comment editing fields.

Attack

Vector

The attack requires low privileges (authenticated user) and user interaction, as the victim must access the malicious comment [2]. The attacker can store the payload by submitting a crafted comment through the normal comment submission mechanism, with no special network position required beyond standard web access. The vulnerability is exploitable on affected versions including Movable Type 7.x and 8.4.x series, which are End-of-Life (EOL) [1][2].

Impact

Successful exploitation leads to execution of arbitrary script in the context of the victim's session, potentially enabling actions such as session hijacking, content manipulation, or forced operations on behalf of the logged-in user. The CVSS v3 base score is 5.4 (Medium) with a vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [2].

Mitigation

Six Apart released security updates on February 4, 2026, including Movable Type 9.1.0, 9.0.6, 8.8.2, and 8.0.9, and corresponding Premium versions, which address this vulnerability [1][3]. Users on EOL branches (7.x, 8.4.x) are strongly advised to upgrade to a supported, patched version [1][2].