CVE-2026-23704 is a vulnerability in Six Apart Ltd.'s Movable Type (Software Edition) that permits non-administrative users to upload files of dangerous types without proper validation or restriction. This flaw exists in versions 8.0.2 through 9.0.5, including the End-of-Life 7 and 8.4 series. The core issue is that uploaded malicious files can be accessed by administrators or the product itself, leading to arbitrary script execution within the administrator's browser context. This cross-site scripting (XSS)-like behavior can compromise session tokens, enable unauthorized actions, or facilitate further attacks within the administrative interface. The vulnerability has a CVSS 3.0 base score of 6.5, reflecting medium severity, with an attack vector of network, low attack complexity, requiring low privileges (non-admin user), and user interaction (administrator accessing the file). The scope is changed, indicating that the vulnerability affects components beyond the initially compromised user context. There are no known exploits in the wild, but the presence of EOL versions increases risk due to lack of patches. The vulnerability highlights insufficient file upload validation and inadequate sanitization or access control on uploaded content, enabling malicious payload delivery through the administrative interface.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of web-based content management systems using Movable Type. Successful exploitation could allow attackers to execute arbitrary scripts in administrator browsers, potentially leading to session hijacking, unauthorized administrative actions, data leakage, or further compromise of internal networks. Organizations relying on Movable Type for publishing or internal content management may face defacement, data theft, or disruption of services. The risk is heightened for entities that have not upgraded from EOL versions, as they lack vendor support and patches. Given the medium CVSS score and the requirement for user interaction, the threat is moderate but could be leveraged in targeted attacks against high-value European media, government, or corporate websites. The vulnerability could also serve as an entry point for broader attacks within organizations if administrative credentials or sessions are compromised.

European organizations should immediately assess their use of Movable Type versions and prioritize upgrading to the latest patched versions beyond 9.0.5 once available. In the absence of patches, implement strict file upload restrictions by configuring the application or web server to block or sanitize uploads of dangerous file types, such as scripts or executables. Employ web application firewalls (WAFs) with rules to detect and block malicious file uploads and suspicious administrative interface activity. Limit the number of users with upload privileges and enforce the principle of least privilege. Educate administrators to avoid opening suspicious files or links within the administrative interface. Monitor logs for unusual upload or access patterns and conduct regular security audits of the CMS environment. For EOL versions, consider migrating to supported platforms or isolating the CMS environment to reduce exposure. Additionally, implement Content Security Policy (CSP) headers to mitigate the impact of script execution in browsers.