CVE-2026-23704
📋 TL;DR
This vulnerability allows non-administrative users to upload malicious files that can execute arbitrary scripts in administrators' browsers when accessed. It affects Movable Type 7 series and 8.4 series, which are End-of-Life (EOL) products.
💻 Affected Systems
- Movable Type
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full system takeover, data theft, or ransomware deployment through browser-based script execution.
Likely Case
Session hijacking, credential theft, or privilege escalation through cross-site scripting attacks against administrators.
If Mitigated
Limited impact with proper file upload restrictions and administrator browser security controls in place.
🎯 Exploit Status
Requires authenticated non-admin user access to upload files and administrator interaction to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.6
Vendor Advisory: https://movabletype.org/news/2026/02/mt-906-released.html
Restart Required: Yes
Instructions:
1. Backup your Movable Type installation and database. 2. Download Movable Type 9.0.6 from the official website. 3. Replace existing files with the patched version. 4. Restart the web server and application services.
🔧 Temporary Workarounds
Restrict File Uploads
allDisable or severely restrict file upload capabilities for non-administrative users.
Modify Movable Type configuration to remove upload permissions from non-admin roles
Content Security Policy
allImplement strict Content Security Policy headers to prevent script execution from uploaded files.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Isolate affected systems from internet access and restrict to internal network only
- Implement strict monitoring of file upload activities and administrator access patterns
🔍 How to Verify
Check if Vulnerable:
Check Movable Type version via admin interface or by examining the mt-config.cgi file for version information.Check Version:
grep 'VERSION' /path/to/mt/mt-config.cgi 2>/dev/null || echo 'Check admin interface'Verify Fix Applied:
Verify installation shows version 9.0.6 or later in the admin dashboard.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns from non-admin users
- Administrator accessing recently uploaded files with suspicious extensions
Network Indicators:
- Unexpected outbound connections from administrator workstations after file access
SIEM Query:
source="movabletype" AND (event="file_upload" AND user_role!="admin") OR (event="file_access" AND user_role="admin")