CVE-2026-23704 is a vulnerability in Six Apart Ltd.'s Movable Type (Software Edition) that permits non-administrative users to upload files with dangerous types without adequate validation or restriction. This flaw exists in versions 8.0.2 through 8.0.8, 8.8.0 through 8.8.1, and 9.0.4 through 9.0.5, including some End-of-Life versions (7 series and 8.4 series). The core issue is that the application fails to properly restrict or sanitize file uploads, allowing malicious files—such as scripts or HTML files containing JavaScript—to be uploaded by users with limited privileges. When an administrator or the application accesses these files, the embedded scripts can execute in the administrator's browser context, leading to arbitrary script execution. This can result in session hijacking, credential theft, or further compromise of the administrative interface. The vulnerability is rated with a CVSS 3.0 score of 6.5 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges but only limited user interaction, and impacting confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability's nature makes it a candidate for targeted attacks, especially in environments where multiple users have upload permissions. The vulnerability affects the web-based content management system, which is often used by organizations to manage websites and blogs, making it a critical vector for web-based attacks if exploited.

For European organizations, this vulnerability poses a significant risk to the security of web content management systems running Movable Type. Exploitation could lead to unauthorized script execution in administrator browsers, potentially resulting in credential theft, session hijacking, or unauthorized administrative actions. This compromises the confidentiality and integrity of the organization's web content and administrative controls. Availability could also be impacted if attackers deploy disruptive scripts or malware. Organizations relying on Movable Type for critical web infrastructure or public-facing websites may face reputational damage, data breaches, or service disruptions. The presence of End-of-Life versions in the affected list increases risk for organizations that have not maintained up-to-date software, as these versions may lack vendor support or patches. Given the medium severity and the requirement for some user privileges and interaction, the threat is moderate but should not be underestimated, especially in environments with multiple contributors or editors who can upload files.

Organizations should immediately audit their Movable Type installations to identify affected versions and prioritize upgrading to patched versions beyond 9.0.5 or the latest supported release. If immediate patching is not possible, implement strict file upload restrictions by configuring the application or web server to block dangerous file types such as scripts, HTML, or executable files. Employ content security policies (CSP) and browser security headers to limit the impact of any script execution. Restrict upload permissions to trusted users only and monitor upload activity for suspicious files. Additionally, implement multi-factor authentication for administrator accounts to reduce the risk of credential compromise. Regularly review and sanitize uploaded content and consider deploying web application firewalls (WAF) with rules to detect and block malicious file uploads or script execution attempts. Finally, educate administrators and users about the risks of interacting with untrusted uploaded files.