CVE-2026-24447
Unknown Unknown - Not Provided

CSV Injection in Movable Type Allows Code Execution via Malformed Data

Vulnerability report for CVE-2026-24447, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: JPCERT/CC

Description

If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-07-06
AI Q&A
2026-02-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
movable_type 7 *
movable_type 8.4 *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs when malformed data is input into the affected product, causing a CSV file downloaded from the product to contain that malformed data. When a user downloads and opens this CSV file, embedded code within the malformed data may be executed in the user's environment.

The affected products include Movable Type 7 series and 8.4 series, which are End-of-Life (EOL).

Impact Analysis

The vulnerability can lead to the execution of embedded code on a victim user's environment when they open a maliciously crafted CSV file downloaded from the affected product. This could potentially allow attackers to run unauthorized code, which may compromise the user's system or data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart