CVE-2026-21393 is a stored cross-site scripting vulnerability found in the Edit Comment feature of Six Apart Ltd.'s Movable Type (Software Edition). The vulnerability allows an attacker to submit crafted input that is stored persistently on the server and later executed as arbitrary JavaScript code in the browsers of authenticated users who view the affected comments. This can lead to theft of session cookies, credential compromise, or unauthorized actions performed on behalf of the user. The affected versions include 9.0.4 to 9.0.5 (9.0 series), 8.8.0 to 8.8.1 (8.8 series), and 8.0.2 to 8.0.8 (8.0 series), with older EOL versions 7 and 8.4 also vulnerable. The vulnerability requires the attacker to have the ability to submit comments that get stored and requires the victim to be logged in and view the malicious comment, implying user interaction is necessary. The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. No public exploits or active exploitation have been reported to date. The vulnerability highlights the need for proper input sanitization and output encoding in web applications, especially in user-generated content areas.

For European organizations using Movable Type for blogging or content management, this vulnerability poses a risk of client-side script execution leading to session hijacking, theft of sensitive information, or unauthorized actions performed with user privileges. This can compromise user accounts, leak confidential information, and damage organizational reputation. Since the vulnerability requires authenticated users to interact with malicious content, internal users or administrators are at risk, potentially leading to privilege escalation or lateral movement within the organization. Public-facing websites are particularly vulnerable to targeted attacks by threat actors aiming to exploit this flaw to gain footholds or steal credentials. The impact is medium severity but can escalate if combined with other vulnerabilities or social engineering tactics. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if user data is compromised.

Organizations should immediately identify and inventory all instances of Movable Type in use, including EOL versions 7 and 8.4, and prioritize upgrading to the latest patched versions beyond 9.0.5 where the vulnerability is fixed. If patching is not immediately possible, implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the Edit Comment functionality. Enforce strict input validation and output encoding on all user-generated content to prevent script injection. Limit privileges for users who can submit comments and monitor logs for unusual comment submissions or user activity. Educate users about the risks of interacting with untrusted content, especially within authenticated sessions. Regularly review and update security policies related to web application security and user access controls. Conduct security testing and code reviews focused on XSS vulnerabilities in all web-facing applications. Finally, consider deploying Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers.