Description
If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Published: 2026-02-04
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via CSV file download
Action: Assess Impact
AI Analysis

Impact

A malformed CSV file generated by the affected Movable Type editions can trigger execution of embedded code when the victim opens the file, potentially allowing remote code execution. This weakness, identified as CWE-1236, directly compromises the confidentiality, integrity, and availability of the victim’s environment.

Affected Systems

The vulnerability affects Six Apart Ltd. Movable Type Cloud Edition, Software Edition, Advanced, and Premium lines, including the 7 series and 8.4 series, which are currently End‑of‑Life. Any deployment of these editions that exports or downloads CSV reports is susceptible.

Risk and Exploitability

The CVSS score of 4.8 indicates medium severity, and the EPSS of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply malformed data that leads to a CSV export, followed by the victim opening that file – an indirect attack vector that relies on user interaction. Despite its low exploitation likelihood, the potential impact warrants prompt attention.

Generated by OpenCVE AI on April 18, 2026 at 18:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that fixes the malformed CSV export flaw
  • If an upgrade is not immediately possible, disable or restrict CSV export functionality to prevent vulnerable file generation
  • Enforce strict input validation and sanitization of any data that could become part of CSV exports, ensuring that embedded code cannot be executed

Generated by OpenCVE AI on April 18, 2026 at 18:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Title CSV Export Malformed Data Leading to Embedded Code Execution

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Six Apart
Six Apart movable Type
Six Apart Ltd
Six Apart Ltd movable Type
Vendors & Products Six Apart
Six Apart movable Type
Six Apart Ltd
Six Apart Ltd movable Type

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Weaknesses CWE-1236
References
Metrics cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Six Apart Movable Type
Six Apart Ltd Movable Type
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-02-04T15:55:26.690Z

Reserved: 2026-01-29T02:02:27.800Z

Link: CVE-2026-24447

cve-icon Vulnrichment

Updated: 2026-02-04T15:55:22.739Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T07:16:01.560

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses