What is CVE-2026-44392?

CVE-2026-44392 is a medium-severity vulnerability in Six Apart Ltd. Movable Type, classified under Missing Authorization. CVSS score: 4.3/10. Published 2026-05-20.

How severe is CVE-2026-44392?

Medium severity. CVSS v3 base score is 4.3 out of 10.

Auth bypass in Six Apart Ltd. Movable Type

CVE-2026-44392

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed.

Vulnerability class: Broken Access Control

EPSS: 0.000 (9.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.3 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Affected products

Six Apart Ltd. Movable Type — versions 9.1.1 and earlier, 9.0.7 and earlier, 8.8.3 and earlier
Six Apart Ltd. Movable Type Advanced — versions 9.1.1 and earlie, 9.0.7 and earlier, 8.8.3 and earlier
Six Apart Ltd. Movable Type Premium — versions 9.1.1 and earlier, 9.0.7 and earlier, 2.15 and earlier (included in Movable Type 8.8.4 and earlier or Movable Type 8.0.11 and earlier)
Six Apart Ltd. Movable Type Premium (Advanced Edition) — versions 9.1.1 and earlier, 9.0.7 and earlier, 2.15 and earlier (included in Movable Type 8.8.4 and earlier or Movable Type 8.0.11 and earlier)

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

Frequently asked questions

What is CVE-2026-44392?: CVE-2026-44392 is a medium-severity vulnerability in Six Apart Ltd. Movable Type, classified under Missing Authorization. CVSS score: 4.3/10. Published 2026-05-20.
How severe is CVE-2026-44392?: Medium severity. CVSS v3 base score is 4.3 out of 10.