CVE-2026-21393 MEDIUM

CVE-2026-21393

Vendor Six Apart Ltd.
Product Movable Type (Software Edition)
Weakness CWE-79 · XSS
Published February 4, 2026
Last update February 4, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

Key dates

02Disclosure timeline

February 4, 2026 CVE published
February 4, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-23909 WordPress Compare Ninja plugin <= 2.1.0 - Cross Site Scripting (XSS) vulnerability CVE-2023-48583 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2023-31177 Improper neutralizataion of input could lead to execution of arbitrary code CVE-2024-9205 Maximum Products per User for WooCommerce <= 4.2.8 - Reflected Cross-Site Scripting CVE-2024-51809 WordPress Keymaster Chord Notation Free plugin <= 1.0.2 - Stored Cross Site Scripting (XSS) vulnerability