Ddos 
Six Apart Ltd. has issued an urgent security advisory for Movable Type, a long-standing content management system used by enterprises worldwide. The report details two severe vulnerabilities within the platform’s Listing Framework, a core component used internally by both the Admin Panel and the Data API.
If left unpatched, these vulnerabilities could allow attackers to take complete control of a web server or manipulate backend databases.
The vulnerabilities center on the Listing Framework, which handles internal data processing for the platform’s management interfaces. The security team identified two primary attack vectors:
- Remote Code Execution (RCE) via Filter Processing (CVE-2026-25776): This is the more severe of the two, carrying a near-maximum CVSS score of 9.8. The vulnerability was found in the filtering process and “could allow the execution of arbitrary Perl code”. An attacker successfully exploiting this could execute commands with the same privileges as the web server.
- SQL Injection via Request Processing (CVE-2026-33088): Rated with a CVSS score of 7.3, this flaw exists in the framework’s request processing. It “could allow the execution of arbitrary SQL commands,” potentially leading to data theft or the unauthorized modification of website content.
The advisory notes that “these issues may occur when the Admin Panel (mt.cgi) or Data API (mt-data-api.cgi) can be accessed from the Internet”. Organizations that expose their administrative backends to the public web are at the highest risk of exploitation.
The security flaws impact all users of Movable Type 6.0 and later. Six Apart has released patches for the following versions :
- Movable Type / Advanced / AMI: 9.0.7
- Movable Type / Advanced / AMI: 8.8.3
- Movable Type / Advanced / AMI: 8.0.10
While “upgrading to the latest version is the only way to fully resolve the issues,” Six Apart has provided temporary mitigation steps for those unable to patch immediately.
- Restrict Administrative Access: Limit access to the Admin Panel (mt.cgi) and Data API (mt-data-api.cgi) to “trusted IP addresses only”.
- Disable the Data API: If your organization does not utilize the Data API, you should disable mt-data-api.cgi by “removing its execution permissions or deleting the file”.
Because these vulnerabilities “affect core framework components,” security teams are urged to prioritize the 9.0.7, 8.8.3, or 8.0.10 upgrades to ensure their CMS environment remains secure against remote attacks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
