Movable Type 8.0.6 Release Notes
This release includes security fixes. Six Apart recommends that you upgrade to the latest version.
New and improved features
- Updated
MTBlockEditor
to version 1.2.5 - Updated
MFA
(Multi-Factor Authentication) plugin to version 1.0.5 - Modified to insert an image as Asset not data url when Drag-and-Drop image on Rich Text Editor with TinyMCE 6 (MTC-29947)
Resolved issues
- Fixed an issue where line breaks were not converted to
<br>
elements when pasting multi-line text in TinyMCE6 (MTC-30072) - Fixed an issue where inserting images in the old block editor caused an error when the width of thumbnails was specified (MTC-29967)
- Fixed an issue where the user-specific archives of ContentType were not always fully rebuilt (MTC-29907)
- Fixed to complete the process of mt-search.cgi with mass request parameters (MTC-29943)
- Fixed performance issues of processing parameters of Data API (MTC-29962)
- Fixed performance issues of processing parameters of Comment (MTC-29955)
- Improve performance of
mt-search.cgi
with specific parameters (MTC-29961) - Fixed performance issues of processing parameters of
mt-search.cgi
(MTC-29953)
Security fixes and improvements
- Updated TinyMCE 6 to 6.8.5 in the
TinyMCE6
plugin (MTC-29922) - Updated
jQuery Validate
to 1.20.0 (MTC-29946) - Fixed Cross Site Scripting (XSS) of object embedding in MT Blockeditor using TinyMCE6 Plugin (CVE-2025-24841, MTC-29997)
- Fixed Cross Site Scripting (XSS) on the page of Edit a Custom Block in MT Blockeditor (CVE-2025-22888, MTC-29937)
- Fixed Cross Site Scripting (XSS) on Edit user page (CVE-2025-25054, MTC-30057)
Acknowledgement
We would like to thank all those who have reported bugs and requested features for the release. In particular, we would like to thank the following people individually.
- Koiwai Dairy Products Co., Ltd. Mr. LEE BEOMSEOK (MTC-30057)
- IPA and JPCERT/CC for their cooperation in notification and handling of vulnerability information.