← back
CVE-2025-54856

CVE-2025-54856

CVSS 4.6 MEDIUMEPSS 0.2%CWE-79
Movable Type contains a stored cross-site scripting vulnerability in Edit ContentData page. If crafted input is stored by an attacker with "ContentType Management" privilege, an arbitrary script may be executed on the web browser of the user who accesses Edit ContentData page.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Six Apart Ltd. · Movable Type Advanced (Software Edition)Six Apart Ltd. · Movable Type (Cloud Edition)Six Apart Ltd. · Movable Type Premium (Advanced Edition) (Software Edition)Six Apart Ltd. · Movable Type Premium (Cloud Edition)Six Apart Ltd. · Movable Type Premium (Software Edition)Six Apart Ltd. · Movable Type (Software Edition)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://jvn.jp/en/jp/JVN24333679/https://movabletype.org/news/2025/10/mt-880-released.htmlhttps://www.sixapart.jp/movabletype/news/2025/10/22-1055.html