← back
CVE-2025-62499

CVE-2025-62499

CVSS 4.6 MEDIUMEPSS 0.2%CWE-79
Movable Type contains a stored cross-site scripting vulnerability in Edit CategorySet of ContentType page. If crafted input is stored by an attacker with "ContentType Management" privilege, an arbitrary script may be executed on the web browser of the user who accesses Edit CategorySet of ContentType page.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
Six Apart Ltd. · Movable Type Advanced (Software Edition)Six Apart Ltd. · Movable Type (Cloud Edition)Six Apart Ltd. · Movable Type Premium (Advanced Edition) (Software Edition)Six Apart Ltd. · Movable Type Premium (Cloud Edition)Six Apart Ltd. · Movable Type Premium (Software Edition)Six Apart Ltd. · Movable Type (Software Edition)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://jvn.jp/en/jp/JVN24333679/https://movabletype.org/news/2025/10/mt-880-released.htmlhttps://www.sixapart.jp/movabletype/news/2025/10/22-1055.html