Movable Type Listing Framework RCE and SQL Injection Vulnerabilities (CVE-2026-25776/CVE-2026-33088)

Vulnerability Overview This advisory concerns two security vulnerabilities in the Listing Framework of the Movable Type content management system, which manages the backend and Data API : 1. Remote Code Execution (RCE): Allows execution of arbitrary Perl code during filter processing. CVE ID: CVE-2026-25776 (MTC-31204) 2. SQL Injection: Allows execution of arbitrary SQL statements during request processing. CVE ID: CVE-2026-33088 (MTC-31212) Affected Versions The following versions are affected: Movable Type / Movable Type Advanced: Version 9.1.0 and earlier (9.1 series) Version 9.0.6 and earlier (9.0 series) Version 8.8.2 and earlier (8.8 series) Version 8.0.9 and earlier (8.0 series) Movable Type Premium / Movable Type Premium Advanced Edition: Version 9.1.0 and earlier (9.1 series) Version 9.0.6 and earlier (9.0 series) Version 2.14 and earlier (2.1 series / 8.8 series) End-of-Life (EOL) Versions: Movable Type 5.1 - 5.18, 5.2 - 5.2.13, 6.0 - 6.8.8, 7.1.4207 - 7.5510, 8.4.0 - 8.4.4 Movable Type Premium 1.0 - 1.68 Remediation 1. Upgrade (Recommended): Upgrade to a patched version, including: Movable Type 9.1.1, 9.0.7, 8.8.3, 8.10.0 Movable Type Premium 9.1.1, 9.0.7, 2.15 2. Temporary Mitigation: If an immediate upgrade is not possible, it is recommended to restrict access to the Data API. For specific configuration details, please refer to the official "Movable Type Security Countermeasures Guide" (Movable Type セキュリティ対策ガイド). 3. Obtaining Updates: Software Version: Download the latest version from the Shikaku/Abart user website. Cloud Version: Automatic updates are enabled. AMI Version: Refer to the AWS Marketplace page for updates. Personal Version: Re-download the Personal Edition installer.

Goal Reached Thanks to every supporter — we hit 100%!

Movable Type Listing Framework RCE and SQL Injection Vulnerabilities (CVE-2026-25776/CVE-2026-33088)