CVE-2026-21393 is a stored cross-site scripting vulnerability found in Six Apart Ltd.'s Movable Type (Software Edition), specifically affecting versions 8.0.2 through 8.0.8, 8.8.0 through 8.8.1, and 9.0.4 through 9.0.5. The vulnerability resides in the Edit Comment feature, where maliciously crafted input submitted by an attacker is stored on the server and later rendered in the context of a logged-in user's browser without proper sanitization or encoding. This allows the injection and execution of arbitrary JavaScript code, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The attack requires the victim to be authenticated and to interact with the malicious content, limiting the attack surface. The CVSS 3.0 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges and user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. The vulnerability affects supported versions as well as End-of-Life versions 7 and 8.4 series, which may still be in use in some environments. No public exploit code or active exploitation has been reported to date. The vulnerability was published on February 4, 2026, and assigned by JPCERT. Given the nature of stored XSS, the risk is primarily to users with elevated privileges who interact with the compromised comments, potentially enabling lateral movement or privilege escalation within the web application context.

For European organizations, this vulnerability poses a moderate risk primarily to web applications using Movable Type for content management and publishing. Successful exploitation could lead to unauthorized access to user sessions, theft of sensitive information such as authentication tokens, and execution of malicious actions under the guise of legitimate users. This could undermine the integrity of published content and potentially facilitate further attacks such as phishing or malware distribution. Organizations in sectors with high reliance on web publishing platforms, including media, education, and government, may face reputational damage and compliance risks, especially under GDPR if personal data is compromised. The requirement for authenticated user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks against privileged users. The presence of End-of-Life versions in production environments increases risk due to lack of official patches and support. Overall, the impact is medium severity but could escalate if combined with other vulnerabilities or social engineering tactics.

European organizations should immediately assess their use of Movable Type and identify affected versions. The primary mitigation is to upgrade to the latest patched versions beyond 9.0.5 or apply vendor-provided patches if available. For End-of-Life versions, organizations should plan migration to supported releases or alternative platforms. Implement strict input validation and output encoding on comment fields to prevent script injection. Employ Content Security Policy (CSP) headers to restrict script execution origins and reduce XSS impact. Limit privileges of users who can post or edit comments to reduce attack surface. Monitor logs for suspicious comment submissions and anomalous user behavior. Educate users about the risks of interacting with untrusted content even within authenticated sessions. Regularly review and update web application firewall (WAF) rules to detect and block XSS payloads targeting Movable Type. Finally, maintain a robust incident response plan to quickly address any exploitation attempts.