Movable Type 8.0.9 Release Notes
This version of Movable Type was released February 4, 2026.
This release includes security fixes. Six Apart recommends that you upgrade to the latest version.
Security fixes and improvements
- Added protections against formula injection in the CSV export feature, and added the Configuration Directives
CSVExportEscapeFormulato escape cells that start with specific characters andCSVExportWithBOMto control whether a BOM is included (CVE-2026-24447, MTC-30835) - Fixed an issue where cross-site scripting (XSS) could occur on the comment editing screen and the theme listing screen (CVE-2026-21393, MTC-31001)
- Fixed an issue where cross-site scripting (XSS) could occur in the site export feature (MTC CVE-2026-22875, MTC-31002)
- Fixed an issue where cross-site scripting (XSS) could occur on the Entry editing screen (CVE-2026-23704, MTC-31104)
Acknowledgement
We would like to thank all those who have reported bugs and requested features for the release. In particular, we would like to thank the following people individually.
- IPA and JPCERT/CC for their cooperation in notification and handling of vulnerability information
- Kentaro Ishii, GMO Cybersecurity by Ierae, Inc. (CVE-2026-21393/MTC-31001, CVE-2026-22875/MTC-31002)
