CVE-2026-24447
CSV Injection in Movable Type Allows Code Execution via Malformed Data
Publication date: 2026-02-04
Last updated on: 2026-02-04
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| movable_type | 7 | * |
| movable_type | 8.4 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs when malformed data is input into the affected product, causing a CSV file downloaded from the product to contain that malformed data. When a user downloads and opens this CSV file, embedded code within the malformed data may be executed in the user's environment.
The affected products include Movable Type 7 series and 8.4 series, which are End-of-Life (EOL).
How can this vulnerability impact me? :
The vulnerability can lead to the execution of embedded code on a victim user's environment when they open a maliciously crafted CSV file downloaded from the affected product. This could potentially allow attackers to run unauthorized code, which may compromise the user's system or data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know