April 8, 2026
[Security Update] Movable Type 9.0.7, 8.8.3 and 8.0.10 Released
Critical security issues were found and fixed in the Listing Framework of Movable Type. For those of you who use Movable Type 6.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of the following workarounds immediately. Detail of the Issues The Listing Framework, which is used internally by the Admin Panel (mt.cgi) and the Data API (mt-data-api.cgi), contained the following vulnerabilities: Remote Code Execution (RCE) via Filter Processing: A vulnerability was found in the filtering process of the Listing Framework that could allow the execution of arbitrary Perl code (CVE-2026-25776, MTC-31204). SQL Injection via Request Processing: A vulnerability was found in the request processing of the Listing Framework that could allow the execution of arbitrary SQL commands (CVE-2026-33088, MTC-31212). These issues may occur when the Admin Panel or Data API can be accessed from the Internet. Workarounds for those who cannot upgrade to the latest version The following steps can be taken to avoid or reduce the impact of the vulnerability: Restrict access to the Admin Panel (mt.cgi) and Data API (mt-data-api.cgi): Limit access to these scripts to trusted IP addresses only. Disable the Data API: If you are not using the…
Read More