{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23704", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-29T02:02:31.425Z", "datePublished": "2026-02-04T07:03:37.889Z", "dateUpdated": "2026-02-04T16:07:28.812Z"}, "containers": {"cna": {"affected": [{"vendor": "Six Apart Ltd.", "product": "Movable Type (Software Edition)", "versions": [{"version": "9.0.4 to 9.0.5 (9.0 series)", "status": "affected"}, {"version": "8.8.0 to 8.8.1 (8.8 series)", "status": "affected"}, {"version": "8.0.2 to 8.0.8 (8.0 series)", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Advanced (Software Edition)", "versions": [{"version": "9.0.4 to 9.0.5 (9.0 series)", "status": "affected"}, {"version": "8.8.0 to 8.8.1 (8.8 series)", "status": "affected"}, {"version": "8.0.2 to 8.0.8 (8.0 series)", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium (Software Edition)", "versions": [{"version": "9.0.4 (MTP 9.0 series)", "status": "affected"}, {"version": "2.13 and earlier (MTP 2 series)", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium (Advanced Edition) (Software Edition)", "versions": [{"version": "9.0.4 (MTP 9.0 series)", "status": "affected"}, {"version": "2.13 and earlier (MTP 2 series)", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type (Cloud Edition)", "versions": [{"version": "9.0.5 (9 series)", "status": "affected"}, {"version": "8.8.1 (8 series)", "status": "affected"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium (Cloud Edition)", "versions": [{"version": "9.0.5 (9 series)", "status": "affected"}, {"version": "2.12 (MTP 2 series)", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well."}], "problemTypes": [{"descriptions": [{"description": "Unrestricted upload of file with dangerous type", "lang": "en-US", "cweId": "CWE-434", "type": "CWE"}]}], "references": [{"url": "https://movabletype.org/news/2026/02/mt-906-released.html"}, {"url": "https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html"}, {"url": "https://jvn.jp/en/jp/JVN45405689/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-04T07:03:37.889Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:07:20.323679Z", "id": "CVE-2026-23704", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:07:28.812Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23704", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:07:20.323679Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:07:24.684Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Six Apart Ltd.", "product": "Movable Type (Software Edition)", "versions": [{"status": "affected", "version": "9.0.4 to 9.0.5 (9.0 series)"}, {"status": "affected", "version": "8.8.0 to 8.8.1 (8.8 series)"}, {"status": "affected", "version": "8.0.2 to 8.0.8 (8.0 series)"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Advanced (Software Edition)", "versions": [{"status": "affected", "version": "9.0.4 to 9.0.5 (9.0 series)"}, {"status": "affected", "version": "8.8.0 to 8.8.1 (8.8 series)"}, {"status": "affected", "version": "8.0.2 to 8.0.8 (8.0 series)"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium (Software Edition)", "versions": [{"status": "affected", "version": "9.0.4 (MTP 9.0 series)"}, {"status": "affected", "version": "2.13 and earlier (MTP 2 series)"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium (Advanced Edition) (Software Edition)", "versions": [{"status": "affected", "version": "9.0.4 (MTP 9.0 series)"}, {"status": "affected", "version": "2.13 and earlier (MTP 2 series)"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type (Cloud Edition)", "versions": [{"status": "affected", "version": "9.0.5 (9 series)"}, {"status": "affected", "version": "8.8.1 (8 series)"}]}, {"vendor": "Six Apart Ltd.", "product": "Movable Type Premium (Cloud Edition)", "versions": [{"status": "affected", "version": "9.0.5 (9 series)"}, {"status": "affected", "version": "2.12 (MTP 2 series)"}]}], "references": [{"url": "https://movabletype.org/news/2026/02/mt-906-released.html"}, {"url": "https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html"}, {"url": "https://jvn.jp/en/jp/JVN45405689/"}], "descriptions": [{"lang": "en", "value": "A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-434", "description": "Unrestricted upload of file with dangerous type"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-04T07:03:37.889Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23704", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:07:28.812Z", "dateReserved": "2026-01-29T02:02:31.425Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-04T07:03:37.889Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator's browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well."}, {"lang": "es", "value": "Un usuario no administrativo puede cargar archivos maliciosos. Cuando un administrador o el producto accede a ese archivo, un script arbitrario puede ejecutarse en el navegador del administrador. Tenga en cuenta que las series Movable Type 7 y 8.4, que est\u00e1n al final de su vida \u00fatil (EOL), tambi\u00e9n se ven afectadas por la vulnerabilidad."}], "id": "CVE-2026-23704", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-04T07:16:01.387", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN45405689/"}, {"source": "vultures@jpcert.or.jp", "url": "https://movabletype.org/news/2026/02/mt-906-released.html"}, {"source": "vultures@jpcert.or.jp", "url": "https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:04:01.211372+00:00", "value": {"mitigation_remediation": ["Apply the latest available Movable\u202fType patch that addresses the unrestricted upload issue.", "Configure the system to restrict file uploads to administrators only and enforce strict MIME\u2011type validation, allowing only safe formats such as images or PDFs.", "Remove any previously uploaded files that may contain malicious content from the public upload directories and disable direct access to these directories from the web."], "summary": {"action": "Patch", "impact": "Client\u2011side script execution in administrator browsers"}, "threat_synthesis": {"affected_systems": "The flaw affects all editions of Movable\u202fType supplied by Six\u202fApart, including the Cloud Edition, Software Edition, Advanced, and Premium releases. All affected releases are in the 7 series and 8.4 series, which are already end\u2011of\u2011life. No specific patch version list is provided, but the vulnerability exists across those series.", "description_and_impact": "A non\u2011administrative user can upload any file type, and when an administrator views that file through Movable\u202fType, the browser executes arbitrary script. This enables client\u2011side code execution that can steal credentials, deface content, or serve as a foothold for further attacks. The weakness is an unrestricted upload of dangerous file types (CWE\u2011434).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 5.1, indicating a moderate impact if successfully exploited. The EPSS score is below\u202f1\u202f%, suggesting very low but nonzero likelihood of exploitation in the wild. The issue is not listed in CISA\u2019s KEV catalog. An attacker needs only a non\u2011administrator account to upload a malicious file; execution requires that an administrator later accesses the file, which is a predictable action in normal usage. Exploitation does not require elevated privileges on the server, but the impact arises when the administrator\u2019s browser runs the injected script."}}}}, "created": "2026-02-04T21:18:19.391086+00:00", "title": "Unrestricted File Upload Enables Client\u2011Side Script Execution in Movable\u202fType", "updated": "2026-04-18T14:15:04.117085+00:00", "vendors": ["six_apart", "six_apart$PRODUCT$movable_type", "six_apart_ltd", "six_apart_ltd$PRODUCT$movable_type"]}