CVE-2026-44392

MEDIUM

Movable Type < 9.1.1, < 9.0.7, < 8.8.3, < 8.0.10 - Missing Authorization

Title source: llm

Description

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.

References (3)

Core 3

Core References

https://jvn.jp/en/jp/JVN66473735/

https://movabletype.org/news/2026/05/mt-908-released.html

https://www.sixapart.jp/movabletype/news/2026/05/20-1100.html

Scores

CVSS v3 4.3

EPSS 0.0025

EPSS Percentile 15.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (14)

Six Apart Ltd./Movable Type 8.0.10 and earlier

Six Apart Ltd./Movable Type 8.8.3 and earlier

Six Apart Ltd./Movable Type 9.0.7 and earlier

Six Apart Ltd./Movable Type 9.1.1 and earlier

Six Apart Ltd./Movable Type Advanced 8.0.10 and earlier

Six Apart Ltd./Movable Type Advanced 8.8.3 and earlier

Six Apart Ltd./Movable Type Advanced 9.0.7 and earlier

Six Apart Ltd./Movable Type Advanced 9.1.1 and earlie

Six Apart Ltd./Movable Type Premium 2.15 and earlier (included in Movable Type 8.8.4 and earlier or Movable Type 8.0.11 and earlier)

Six Apart Ltd./Movable Type Premium 9.0.7 and earlier

... and 4 more

Published May 20, 2026

Tracked Since May 20, 2026