Critical security issues were found and fixed in the Listing Framework of Movable Type.
For those of you who use Movable Type 6.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of the following workarounds immediately.
Detail of the Issues
The Listing Framework, which is used internally by the Admin Panel (mt.cgi) and the Data API (mt-data-api.cgi), contained the following vulnerabilities:
- Remote Code Execution (RCE) via Filter Processing: A vulnerability was found in the filtering process of the Listing Framework that could allow the execution of arbitrary Perl code (CVE-2026-25776, MTC-31204).
- SQL Injection via Request Processing: A vulnerability was found in the request processing of the Listing Framework that could allow the execution of arbitrary SQL commands (CVE-2026-33088, MTC-31212).
These issues may occur when the Admin Panel or Data API can be accessed from the Internet.
Workarounds for those who cannot upgrade to the latest version
The following steps can be taken to avoid or reduce the impact of the vulnerability:
- Restrict access to the Admin Panel (mt.cgi) and Data API (mt-data-api.cgi): Limit access to these scripts to trusted IP addresses only.
- Disable the Data API: If you are not using the Data API, disable
mt-data-api.cgiby removing its execution permissions or deleting the file.
Note: These are temporary mitigation steps. Since these vulnerabilities affect core framework components, upgrading to the latest version is the only way to fully resolve the issues.
RELEASED VERSIONS
- Movable Type 9.0.7
- Movable Type Advanced 9.0.7
- Movable Type AMI (via AWS Marketplace) 9.0.7
- Movable Type 8.8.3
- Movable Type Advanced 8.8.3
- Movable Type AMI (via AWS Marketplace) 8.8.3
- Movable Type 8.0.10
- Movable Type Advanced 8.0.10
- Movable Type AMI (via AWS Marketplace) 8.0.10
- Movable Type 9.1.1 (internal release)
Release Notes
Please review the Movable Type release notes to see everything that was added and improved since the version you are currently using.
- Movable Type 9.0.7 Release Notes
- Movable Type 8.8.3 Release Notes
- Movable Type 8.0.10 Release Notes
- Movable Type 9.1.1 Release Notes (internal release)
How to get Movable Type
If you have an existing Movable Type license, you can download the latest version from our download portal using your Six Apart ID.
To purchase a new license or an upgrade, please visit MovableType.com for more information, or feel free to contact us if you have any questions.
Six Apart CTO