Home
MEDIUM: 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:LMEDIUM: 4.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L
affected
8.8.0 to 8.8.1 (8.8 series)
affected
8.0.2 to 8.0.8 (8.0 series)
affected
affected
8.8.0 to 8.8.1 (8.8 series)
affected
8.0.2 to 8.0.8 (8.0 series)
affected
affected
2.13 and earlier (MTP 2 series)
affected
affected
2.13 and earlier (MTP 2 series)
affected
affected
8.8.1 (8 series)
affected
affected
2.12 (MTP 2 series)
affected
Description
If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user's environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well.
Problem types
Improper neutralization of formula elements in a CSV file
Product status
8.8.0 to 8.8.1 (8.8 series)
8.0.2 to 8.0.8 (8.0 series)
8.8.0 to 8.8.1 (8.8 series)
8.0.2 to 8.0.8 (8.0 series)
2.13 and earlier (MTP 2 series)
2.13 and earlier (MTP 2 series)
8.8.1 (8 series)
2.12 (MTP 2 series)
References
movabletype.org/news/2026/02/mt-906-released.html
www.sixapart.jp/movabletype/news/2026/02/04-1100.html