CVE-2026-22875 is a stored cross-site scripting (XSS) vulnerability identified in Six Apart Ltd.'s Movable Type (Software Edition), specifically within the Export Sites feature. The vulnerability allows an attacker with authenticated access to inject malicious script code that is stored on the server and subsequently executed in the browsers of other authenticated users when they access the affected functionality. This type of XSS is particularly dangerous because the malicious payload persists on the server, increasing the likelihood of exploitation. The affected versions include 9.0.4 to 9.0.5 (9.0 series), 8.8.0 to 8.8.1 (8.8 series), and 8.0.2 to 8.0.8 (8.0 series), with older End-of-Life versions 7 and 8.4 also vulnerable but unsupported. The vulnerability requires the attacker to have at least some level of privileges (PR:L) and user interaction (UI:R) for exploitation, with network attack vector (AV:N) and low attack complexity (AC:L). The impact includes potential confidentiality and integrity loss through script execution in the victim's browser, such as session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS v3.0 score is 5.4, indicating a medium severity level. No public exploits have been reported yet, but the presence of stored XSS in a content management system is a significant risk for organizations relying on Movable Type for web publishing.

For European organizations, this vulnerability poses a risk of unauthorized script execution within the context of authenticated users, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions on web portals managed by Movable Type. Given that Movable Type is used for content management and website publishing, exploitation could result in defacement, data leakage, or disruption of web services. The impact is heightened in environments where multiple users have elevated privileges or where sensitive data is accessible through the affected application. Additionally, organizations using End-of-Life versions face increased risk due to lack of official patches and support. The medium severity rating suggests moderate risk, but the potential for lateral movement or privilege escalation through chained attacks should not be underestimated. European entities with public-facing websites or intranet portals running vulnerable Movable Type versions are particularly at risk, especially if they do not enforce strict access controls or input validation.

Organizations should immediately identify all instances of Movable Type in their environment and verify the version in use. Upgrading to the latest patched versions beyond 9.0.5 or applying vendor-provided patches (once available) is the most effective mitigation. For End-of-Life versions, consider migrating to supported releases or alternative platforms. In the interim, implement strict input validation and sanitization on all user inputs related to the Export Sites feature to prevent malicious script injection. Restrict access to the Export Sites functionality to trusted users only and enforce the principle of least privilege to minimize the risk of an attacker gaining the necessary authentication level. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS payloads. Regularly audit logs for suspicious activity related to Export Sites and monitor for anomalous user behavior. Educate users about the risks of clicking on unexpected links or executing unknown scripts within the application context. Finally, consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS attempts targeting Movable Type.