CVE-2026-24447

Summary

If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.

Affected Software

VendorProductVersion RangeStatus
Six Apart Ltd.Movable Type (Software Edition)9.0.4 to 9.0.5 (9.0 series)affected
Six Apart Ltd.Movable Type (Software Edition)8.8.0 to 8.8.1 (8.8 series)affected
Six Apart Ltd.Movable Type (Software Edition)8.0.2 to 8.0.8 (8.0 series)affected
Six Apart Ltd.Movable Type Advanced (Software Edition)9.0.4 to 9.0.5 (9.0 series)affected
Six Apart Ltd.Movable Type Advanced (Software Edition)8.8.0 to 8.8.1 (8.8 series)affected
Six Apart Ltd.Movable Type Advanced (Software Edition)8.0.2 to 8.0.8 (8.0 series)affected
Six Apart Ltd.Movable Type Premium (Software Edition)9.0.4 (MTP 9.0 series)affected
Six Apart Ltd.Movable Type Premium (Software Edition)2.13 and earlier (MTP 2 series)affected
Six Apart Ltd.Movable Type Premium (Advanced Edition) (Software Edition)9.0.4 (MTP 9.0 series)affected
Six Apart Ltd.Movable Type Premium (Advanced Edition) (Software Edition)2.13 and earlier (MTP 2 series)affected
Six Apart Ltd.Movable Type (Cloud Edition)9.0.5 (9 series)affected
Six Apart Ltd.Movable Type (Cloud Edition)8.8.1 (8 series)affected
Six Apart Ltd.Movable Type Premium (Cloud Edition)9.0.5 (9 series)affected
Six Apart Ltd.Movable Type Premium (Cloud Edition)2.12 (MTP 2 series)affected

Weaknesses

  • CWE-1236: Improper neutralization of formula elements in a CSV file

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References