JustAppSec
Back to news

Movable Type security update fixes Listing Framework RCE

2 min readPublished 08 Apr 2026Updated 08 Apr 2026Source: JVN (Japan Vulnerability Notes)
CVE-2026-25776CVE-2026-33088NewsWeb SecurityCMS

TL;DR — Critical Listing Framework bugs in Movable Type can enable remote Perl code execution and SQL injection, especially in deployments exposing mt.cgi or mt-data-api.cgi to the internet.

What happened

Movable Type is a commercial CMS/blog publishing platform from Six Apart, commonly deployed with an administrative console (mt.cgi) and an optional Data API (mt-data-api.cgi).

JVN#66473735 reports multiple vulnerabilities in Movable Type’s Listing Framework:

VulnerabilityImpact (per advisory)IdentifierSeverity (source)
Code injectionExecute arbitrary Perl scriptCVE-2026-25776CVSS v4.0 9.3 (Critical); CVSS v3.0 9.8 (Critical)
SQL injectionExecute an arbitrary SQL statementCVE-2026-33088CVSS v3.0 7.3 (High); CVSS v4.0 6.9

The advisory notes that affected scope includes instances where the Listing Framework is enabled in the administrative console and/or where the Data API is available. This matters because admin-plane and API-plane exposure is a common “last mile” misconfiguration in CMS deployments; an RCE-capable bug in those surfaces can quickly turn into a full-site compromise and credential theft.

Who is impacted

  • Movable Type / Movable Type Advanced installations in supported series listed as affected by the advisory (including 9.1.0 and earlier, 9.0.6 and earlier, 8.8.2 and earlier, 8.0.9 and earlier).
  • Movable Type Premium / Premium Advanced Edition (9.1.0 and earlier, 9.0.6 and earlier) and Movable Type Premium (MT8-based) / Premium variants (2.14 and earlier).
  • End-of-support Movable Type versions called out as affected by JVN when the Listing Framework and/or Data API exposure conditions apply (including 5.x, 6.x, 7.x, and 8.4.x series).
  • Higher-risk environments where mt.cgi and/or mt-data-api.cgi are reachable from untrusted networks.

What to do now

  • Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

    "Update the affected product to the latest version according to the information provided by the developer."

  • Prioritize patching for internet-reachable admin/API deployments; the developer-released fixed versions listed by JVN include:
    • Movable Type / Movable Type Advanced: 9.1.1 (cloud), 9.0.7, 8.8.3, 8.0.10
    • Movable Type Premium: 9.1.1 / 9.0.7, 2.15
  • If you cannot upgrade immediately, apply vendor-documented mitigations for Data API attack paths (where applicable):

    • "Delete mt-data-api.cgi (for CGI environments)"

    • "Set data_api in the Movable Type environment variable RestrictedPSGIApp (for PSGI, MT 6.2 and later)"

    • "Set an unguessable string in the Movable Type environment variable DataAPIScript (for MT 6.0, 6.1)"

  • As additional temporary hardening guidance from Six Apart’s release communication, reduce exposure of the admin and API entrypoints until patch rollout is complete (e.g., IP-allowlist mt.cgi / mt-data-api.cgi). See: [Security Update] Movable Type 9.0.7, 8.8.3 and 8.0.10 Released.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.