Platform
php
Component
movable-type
Fixed in
9.1.1
9.0.7
8.8.3
8.0.10
9.1.1
9.0.7
8.8.3
8.0.10
9.1.1
9.0.7
9.1.1
9.0.7
2.14.1
2.14.1
2.14.1
5.1.1
5.2.1
5.2.2
6.0.1
6.0.2
7.0.1
8.4.1
1.0.1
CVE-2026-33088 represents a SQL Injection vulnerability discovered in Movable Type, a content management system developed by Six Apart Ltd. This flaw allows unauthorized individuals to inject malicious SQL code, potentially gaining access to sensitive data or manipulating the database. The vulnerability affects versions 8.0.9 up to and including 9.1.0, and a patch is available in version 9.1.1.
CVE-2026-33088 affects Movable Type, a content management system (CMS) provided by Six Apart Ltd. This SQL Injection vulnerability allows an attacker to execute arbitrary SQL statements, potentially compromising the integrity and confidentiality of data stored in the database. An attacker could gain access to sensitive information, modify existing data, or even take control of the application. The vulnerability is rated with a CVSS score of 7.3, indicating a moderately high risk. Successful exploitation could result in data loss, service disruption, and reputational damage to the organization using Movable Type. Applying the provided security update is crucial to mitigate this risk.
The SQL Injection vulnerability in Movable Type can be exploited through the manipulation of input parameters in HTTP requests. An attacker could inject malicious SQL code into form fields, URL parameters, or HTTP headers. If the application does not properly validate or sanitize these inputs, the injected SQL code could be executed by the database server. Successful exploitation requires the attacker to have access to the application and be able to send HTTP requests. The complexity of exploitation can vary depending on the application configuration and security measures implemented.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The recommended solution to address CVE-2026-33088 is to update Movable Type to version 9.1.1 or later. This update includes patches that correct the SQL Injection vulnerability. In the meantime, as a temporary measure, restrict database access and monitor system logs for suspicious activity. Implementing a robust security policy that includes user input validation and data sanitization can help prevent future SQL Injection vulnerabilities. Thorough testing should be performed after the update to ensure the application functions correctly and the vulnerability has been completely eliminated.
Update Movable Type to version 9.1.1 or later to mitigate the SQL Injection (SQL Injection) vulnerability. This update fixes the issue by correctly validating user input. See the release notes for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
SQL Injection is an attack technique that allows attackers to insert malicious SQL code into an application to access or manipulate the database.
As a temporary measure, restrict database access, monitor logs, and validate user inputs.
Several web application vulnerability scanners can help detect SQL Injection in applications.
Implement user input validation and sanitization, use parameterized queries, and apply the principle of least privilege.
You can find more information about CVE-2026-33088 in vulnerability databases such as the National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.