Movable Type 8.8.3 Release Notes
This version of Movable Type was released April 8, 2026.
This version fixed security issues.
Resolved issues
Security fixes and improvements
- Fixed a vulnerability in the listing framework’s filter processing that allowed the execution of arbitrary Perl code (Remote Code Execution). (CVE-2026-25776, MTC-31204)
- Fixed a vulnerability in the listing framework’s request processing that allowed the execution of arbitrary SQL commands (SQL Injection). (CVE-2026-33088, MTC-31212)
Note: The listing framework is used internally by the administration interface (mt.cgi) and the Data API (mt-data-api.cgi).
Acknowledgments
We would like to thank those who reported these vulnerabilities for their contribution to this release. We would also like to thank JPCERT/CC and IPA for their assistance in handling the vulnerability information.
- Sho Odagiri of GMO Cybersecurity by Ierae, Inc. (CVE-2026-25776, MTC-31204)
