CSV File Execution Vulnerability in Movable Type by Six Apart
CVE-2026-24447

4.8MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type (software Edition); Movable Type Advanced (software Edition); Movable Type Premium (software Edition); Movable Type Premium (advanced Edition) (software Edition)
Vendor: CVE Published:; 4 February 2026

🔔 Create Six Apart Ltd. Vulnerability Alert

What is CVE-2026-24447?

This vulnerability arises when malformed data is input into Movable Type, resulting in a CSV file containing this corrupted data. When users download and open the affected CSV file, the malicious code embedded within may execute in their environment, potentially compromising user systems. Notably, both Movable Type 7 and 8.4 series, which have reached their End-of-Life status, are impacted by this issue.

Affected Version(s)

Movable Type (Cloud Edition) 9.0.5 (9 series)

Movable Type (Cloud Edition) 8.8.1 (8 series)

Movable Type (Software Edition) 9.0.4 to 9.0.5 (9.0 series)

References

https://movabletype.org/news/2026/02/mt-906-released.html

https://www.sixapart.jp/movabletype/news/2026/02/04-1100....

https://jvn.jp/en/jp/JVN45405689/

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

CVSS V3.0

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 4, 2026
Vulnerability Reserved
Jan 29, 2026

CVE-2026-24447 Data

JSON