CVE-2026-22875

Vulnerability

Analysis

CVE-2026-22875 is a stored cross-site scripting (XSS) vulnerability found in the Export Sites functionality of Movable Type [2]. The root cause is that user-supplied input is not properly sanitized before being stored and later rendered, allowing an attacker to inject malicious scripts that persist within the application [2]. This issue affects multiple versions including the End-of-Life (EOL) Movable Type 7 series and 8.4 series [1].

Exploitation

To exploit this vulnerability, an attacker must be authenticated and able to submit crafted input that is subsequently processed by the Export Sites feature [2]. The attack requires user interaction (UI:R) - meaning a logged-in user must view the exported content containing the malicious payload [2]. The network-based attack (AV:N) has low complexity but requires low privileges (PR:L) [2].

Impact

If successfully exploited, arbitrary scripts can execute in the web browser of a logged-in user who accesses the affected site export [2]. The CVSS v3.0 base score is 5.4 (Medium) with a vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating limited scope change with low impact to confidentiality and integrity [2]. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) [2].

Mitigation

Six Apart has released security updates to address this vulnerability: Movable Type 9.1.0, 9.0.6, 8.8.2, and 8.0.9, with corresponding updates for Movable Type Premium [1][3]. Users are strongly recommended to update to these fixed versions [1]. For EOL versions (7 series and 8.4 series), no patches will be provided; users must upgrade to a supported release [1].