Published:2026/05/20 Last Updated:2026/05/20
JVN#56484285
Movable Type vulnerable to missing authorization
Overview
Movable Type provided by Six Apart Ltd. contains a missing authorization vulnerability.
Products Affected
- Movable Type / Movable Type Advanced
- 9.1.1 and earlier (9.1 series)
- 9.0.7 and earlier (9.0 series)
- 8.8.3 and earlier (8.8 series)
- 8.0.10 and earlier (8.0 series)
- Movable Type Premium / Movable Type Premium (Advanced Edition)
- 9.1.1 and earlier (9.1 series)
- 9.0.7 and earlier (9.0 series)
- 2.15 and earlier (included in Movable Type 8.8.4 and earlier or Movable Type 8.0.11 and earlier)
Description
Movable Type provided by Six Apart Ltd. contains the following vulnerability.
- Missing authorization (CWE-862)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2026-44392
Impact
Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.
Solution
Update the Software
Update the affected product to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Six Apart Ltd. | Vulnerable | 2026/05/20 | Six Apart Ltd. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Six Apart Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Six Apart Ltd. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-44392 |
| JVN iPedia |
JVNDB-2026-000076 |