Not a developer? Go to MovableType.com

MovableType.org
Documentation
Home / Documentation / Appendices Appendix: Release Notes

Movable Type 8.8.2 Release Notes

This version of Movable Type was released February 4, 2026.

This release includes security fixes. Six Apart recommends that you upgrade to the latest version.

New and improved features

  • Enable specifying a version number with the version modifier for the MTApp:Script and MTApp:Stylesheet tags (MTC-30989)

MTRichTextEditor plugin

  • Changed the behavior so that when pasting a URL with text selected, the pasted URL is set as a link to that text (MTC-30818)
  • Add the beforeGetContent, getContent, and setContent events to improve extensibility (MTC-30889)
  • Enable the use of the ruby, rt, and rp elements (MTC-30966)
  • Updated to prioritize the <a> element over other inline elements (MTC-31124)

Resolved issues

  • Fixed an issue in the Role editing screen where inherited permission checks were not automatically deselected correctly (MTC-30843)
  • Fixed an issue in the Template Edit admin screen where writing to the directory specified by the UserTemplatePath Configuration Directive was not performed correctly when “Link to a file” was selected (MTC-30868)
  • Fixed an issue where executing an action in the ContentData listing screen with a filter applied caused the action to be applied to data outside the filter scope (MTC-30896)
  • Fixed an issue where, when duplicating a child site that includes a ContentType Archive Template or a ContentType Listing Archive Template, the original ContentType was referenced (MTC-30902)
  • Fixed an issue in TinyMCE 6 where unnecessary HTML escaping was applied to the XHR URL (MTC-30907)

  • Fixed the issue where the publish status change UI was incorrectly displayed on the ContentData edit screen for users who had the “Publish Entries” permission (MTC-30908)

  • Fixed the issue where the 「Unpublish」 action was not displayed on the ContentData listing screen for users who had the 「Publish ContentData」 permission (MTC-30909)

  • Fixed the issue where users who had the 「Publish ContentData」 permission were unable to change the status when creating new ContentData (MTC-30911)
  • Fixed an issue where an error occurred on the System > License Verification screen when the configuration directive AdminThemeId was set to empty (MTC-30958)
  • Fixed an issue where the mt_version_id variable was overwritten by the plugin version inside templates that extend the text editor (MTC-30961)
  • Fixed a compatibility issue that occurred when setting the configuration directive GrantRoleSitesView to tree (MTC-30971)
  • Changed the default value of allow_nonref in the JSON module to 1 in MT::Util::to_json and MT::Util::from_json (MTC-30979)
  • Fixed an issue where the closing position of HTML tags became invalid under certain conditions in the role editing screen (MTC-30980)

MTBlockEditor Plugin

  • Fixed an issue in dynamic publishing on PHP 8.4 where warnings related to xml_set_object appeared when using the MTBlockEditorBlocks tag (MTC-30841)
  • Fixed an issue where previews were not displayed for certain services (YouTube, TikTok) when using oEmbed (MTC-30992)
  • Fixed an issue in the ContentType editing screen where the script element used by MTBlockEditor was inserted in an incorrect position within the HTML structure (MTC-31053)
  • Fixed an issue where placement settings in the Image block were not applied when using AssetUploader (MTC-31069)

MTRichTextEditor Plugin

  • Fixed an issue where disabling Bold in Safari with IME enabled still left the text bold (MTC-30862)
  • Fixed an issue where selecting Paste as text still inserted a URL as a link (MTC-30876)
  • Fixed an issue where Quick Actions were not inserted correctly when using keyboard operations (MTC-30890)
  • Fixed the issue where previews were not displayed for some services such as YouTube and TikTok when using oEmbed (MTC-30983)
  • Fixed the issue where the editor was not displayed in environments where the version of JSON::XS was lower than 4.00 (MTC-30976)

  • Fixed an issue where inserting a list using the Markdown shortcut added a p element inside an li element (MTC-31061)

  • Fixed an issue where bullet lists could not be removed using keyboard operations (MTC-31062)

  • Fixed an issue where embedded objects such as oEmbed could not be deleted (MTC-31063)
  • Fixed an issue where the first character entered immediately after starting input with IME in Google Chrome was confirmed without being included in conversion (MTC-31068)
  • Fixed an issue where input into list items or table cells did not work correctly when using IME in Safari (MTC-31070)

Dynamic Publishing

  • Fixed an issue where MTContentField did not work correctly inside the MTContents tag (MTC-30888)

Security fixes and improvements

  • Added protections against formula injection in the CSV export feature, and added the Configuration Directives CSVExportEscapeFormula to escape cells that start with specific characters and CSVExportWithBOM to control whether a BOM is included (CVE-2026-24447, MTC-30835)
  • Fixed an issue where cross-site scripting (XSS) could occur on the comment editing screen and the theme listing screen (CVE-2026-21393, MTC-31001)
  • Fixed an issue where cross-site scripting (XSS) could occur in the site export feature (MTC-31002)
  • Fixed an issue where cross-site scripting (XSS) could occur on the Entry editing screen (CVE-2026-23704, MTC-31104)

Deprecated features

  • Deprecated European language translation files in the Movable Type AMI Edition (MTC-30669)

Updated plugins

  • Updated MTRichTextEditor from 1.0.3 to 1.0.4 (MTC-31007)
  • Updated MTBlockEditor from 1.3.2 to 1.3.3 (MTC-30999)
  • Updated AssetUploader from 1.0.1 to 1.0.2 (MTC-31051)

Acknowledgement

We would like to thank all those who have reported bugs and requested features for the release. In particular, we would like to thank the following people individually.

  • IPA and JPCERT/CC for their cooperation in notification and handling of vulnerability information
  • Kentaro Ishii, GMO Cybersecurity by Ierae, Inc. (CVE-2026-21393/MTC-31001, CVE-2026-22875/MTC-31002)
  • Makoto Tajima, M-Logic, Inc. (MTC-30843/FEEDBACK-2628) (MTC-30908, MTC-30909/FEEDBACK-2637)
  • Yujiro Araki (MTC-30896/FEEDBACK-2636)
  • riatw (MTC-30961/FEEDBACK-2642)
  • Seiji Hamagaki (MTC-30966/FEEDBACK-2641)

Checksums

Back