Not a developer? Go to


Movable Type 6.6.0 Release Notes

This version of Movable Type was released May 13, 2020.

Movable Type 6.6.0 includes several changes including security fixes.

New and Improved functions

  • [MTC-26528] Add Table in RichText Editor.
  • [MTC-27218] Enable selecting tasks via run-periodic-tasks
  • [MTC-27190] Improve not to insert unnecessary line-feed or space in “Convert to Linefeed”.
  • [MTC-27130] Log to STDERR when MT::Util::Log is not set.
  • [MTC-27119] Add PurePerl Digest::SHA、Digest::MD5 modules for fallback.
  • [MTC-27063] Log removing a file at rebuilding.
  • [MTC-27011] Support PHP 7.4
  • [MTC-27006] Enable DBHost with Oracle.
  • [MTC-26629] Enable “requiresslreuse=YES” in Content Sync.
  • [MTC-10962] Support Emoji, with utf8mb4 of MySQL / MariaDB.

Updated Functions

  • [MTC-27256] Remove composer.json and composer.lock from the MT package.
  • [MTC-27196] The default email encoding is changed to UTF-8.
  • [MTC-27137] Remove DjDT modules used in debug mode.
  • [MTC-27134] Update several Perl modules in extlib
  • [MTC-27120] The file list of Content Sync is not included when exporting a site.
  • [MTC-27117] The first frame of Animation GIF is used as a thumbnail.
  • [MTC-27116] Remove ezsql.
  • [MTC-27115] Update ADOdb to 5.20.16
  • [MTC-27114] Update Smarty to 3.1.31.
  • [MTC-27103] Update Image::ExifTool to 11.85.
  • [MTC-26913] Remove some ping update services that were closed.
  • [MTC-12579] Remove unnecessary method definition in Group feature.
  • [MTC-7105] Remove unnecessary codes from a list of templates.

Resolved Issues

Security Fixes and Improvements

  • [MTC-27147] Fix XSS in __mode=rebuild. (CVE-2020-5575)
  • [MTC-27146] Fix CSRF in _mode=startrebuild. (CVE-2020-5576)
  • [MTC-27144] Fix XSS in template list. (CVE-2020-5575)
  • [MTC-27143] Fix CSRF via Sign-In page. (CVE-2020-5576)
  • [MTC-27142] Fix not to upload a double extension PHP file. (CVE-2020-5577)
  • [MTC-27141] Fix an open redirect issue in __mode=recover. (CVE-2020-5574)
  • [MTC-27140] Fix XSS in _mode=startrebuild. (CVE-2020-5575)


  • [MTC-27247] Unlist some OpenID providers that were obsolete.
  • [MTC-25943] Fix not to show an alert at creating a site.
  • [MTC-27184] Fix to update the file information correctly in Content Sync.
  • [MTC-27177] Fix an error at sorting child sites in the site list of the System.
  • [MTC-27124] Fix links of DBMS module in mt-wizard.cgi.
  • [MTC-26951] Fix not to show jQuery alerts.
  • [MTC-25376] Fix some MT tags in preview mode.
  • [MTC-24981] Fix sort order of the list of users in system view.
  • [MTC-13236] Fix to store iframe in embed object of Custom Field.
  • [MTC-12652] Remove unnecessary spaces in the error message of Database Setting.
  • [MTC-10820] Fix an item name of pull down menu of cell attribution of Table Feature For TinyMCE.
  • [MTC-7280] Fix to check uniqueness of Role name.
  • [MTC-7218] Fix to allow the role of “managing web pages” to create a new folder.

Features to be deprecated in the next or future release.

  • [MTC-27075] Remove TypeKey related modules and functions.
  • [MTC-27296] Remove Motion Plugin
  • [MTC-27297] Remove OpenID Plugin
  • [MTC-26983] Remove Crypt code from MT Core.
  • [MTC-27074] Deprecate MT::Util::perlsha1digest(_hex)
  • [MTC-27298] Deprecate Update Ping


Many bug fixes and patch offerings reported by the Movable Type community are included in this release. The names of community members who provided patches and bug reports through Jira are as follows. I appreciate your cooperation! (In no particular order, titles omitted)

  • Toshitsugu Yoneyama / Mitsui Bussan Secure Directions, Inc., IPA, JPCERT/CC, - MTC-27147、MTC-27146、MTC-27144、MTC-27143、MTC-27141、MTC-27140
  • Yuji Tounai / Mitsui Bussan Secure Directions, Inc., IPA, JPCERT/CC, - MTC-27142
  • Lift - MTC-27141
  • Skyarc Co., Ltd. - MTC-27222
  • Homare Urayama - MTC-27099