CVE-2026-21393

Description

Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user's web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

• How can I get the fixes?
• What do statuses mean?

References

• MITRE
• NVD
• Launchpad
• Debian

Other references

• https://www.cve.org/CVERecord?id=CVE-2026-21393
• https://jvn.jp/en/jp/JVN45405689/
• https://movabletype.org/news/2026/02/mt-906-released.html
• https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html