Movable Type 8.8.4 Release Notes

This version of Movable Type was released May 20, 2026.

This release includes security fixes. Six Apart recommends that you upgrade to the latest version.

New and improved features

• Added support for OAuth 2.0 (Gmail, Outlook) as SMTP authentication for email sending (SUPPORT-37)
• Improved to display the Movable Type schema version on the system information screen (SUPPORT-654)
• Improved messages related to missing required Perl modules displayed during upgrade and other operations (SUPPORT-724)
• Added a date range option to the bulk delete function for system logs, allowing deletion of logs prior to the specified date and time (SUPPORT-756)
• Changed the client secret input field in the GoogleAnalyticsV4 plugin to a password field (MTC-31207)
• Updated bundled extlib CPAN modules (MTC-31138, MTC-31175)
  
  • CGI (4.69 → 4.71)
  • Data::ObjectDriver (0.25 → 0.27)
  • File::Temp (0.2311 → 0.2312)
  • Image::ExifTool (13.30 → 13.44)
  • LWP::Protocol::http (6.78 → 6.81)
  • LWP::UserAgent (6.78 → 6.81)
  • MIME::Lite (3.033 → 3.035)
  • MIME::Types (2.28 → 2.30)
  • Net::HTTPS (6.23 → 6.24)
  • URI (5.32 → 5.34)
  • Updated MT::Image::ExifData used for image metadata processing to the latest version (MTC-31075)

MTRichTextEditor

• Changed to insert HTML snippets such as embedded video player iframes as HTML tags instead of escaped text when pasted into the editing area (MTC-30817)
• Added support for svg elements (MTC-31120)
• Updated the version of Tiptap in use to 3.20.1 (MTC-31054)

Dynamic Publishing

• Updated bundled ADOdb from 5.22.7 to 5.22.11 (MTC-30718)
• Updated league/commonmark bundled with the CommonMark plugin from 2.7.0 to 2.8.1 (MTC-31218)

JavaScript libraries

• Now supporting jQuery 4 and bundled jQuery 4.0.0. The Configuration Directive UsejQuery4 to 1 to enable, and updated SharedPreview plugin to be applied the Configuration Directive (MTC-31132 / MTC-31152)
• Updated jQuery Validation from 1.20.0 to 1.22.1 (MTC-31150)
• Updated jQuery UI from 1.14.1 to 1.14.2 (MTC-31151)
• Updated jquery.ui.touch-punch.js used for touch interactions in the Admin screen to a version with added support for the jQuery 3 series and other improvements (MTC-31169)
• Changed the graph rendering library to Chart.js used in access analytics on Admin screen (MTC-28555)

Resolved issues

• Fixed to show the shared preview link and permalink when using the shared preview feature with older admin themes, such as “admin2023” (MTC-31186)
• Fixed an issue where incorrect characters were included in the HTTP Content-Type header when loading ContentData in a modal window (MTC-31116)
• Fixed an issue where jQuery Migrate warnings were output in the browser developer tools when displaying the Shared Preview screen (MTC-30569)
• Fixed an issue where a 404 error occurred when operating the ContentType editing screen if the Configuration Directive UseRiot was set to 1 (MTC-30625)
• Fixed an issue where users with only the “create ContentData” permission for each ContentType could not edit their own published ContentData from the listing screen (MTC-30910)
• Fixed an issue in the Entry import and export feature where exported data could not be correctly imported if the separator string in MT format was included in the Entry data (MTC-31058)
• Excluded mt_deletefileinfo table from Export of Site Data targets, to avoid unexpected behavior at Site Import (MTC-31093)
• Fixed an issue where mirroring was not performed correctly for certain values of the Exif Orientation tag when the “Automatically correct image orientation” feature was enabled during asset upload (MTC-31118)
• Fixed an issue in the BlockEditor plugin where uninitialized variable warnings occurred when searching ContentData that included image fields if image data did not exist (MTC-31134)
• Fixed an issue where uninitialized variable warnings occurred during ContentData search when information for ContentField of type ContentType could not be retrieved due to corruption or other issues (MTC-31135)
• Fixed an issue where uninitialized variable warnings occurred when sorting by author on the listing screen that included Entry created by deleted users (MTC-31137)
• Excluded YAML::PP from the automatic detection targets of MT::Util::YAML to avoid issues in specific environments (MTC-31145)
• Fixed an issue where deleting old ContentData of a ContentType using a date field in Archive mapping unintentionally updated the latest ContentType Archive content (MTC-31167)
• Fixed an issue where saving continued without being properly handled as an error when the pre-save callback cms_pre_save.content_data returned a false value (MTC-31172)
• Changed to exclude the mt_preview table, which stores session data for Shared Preview, from site export targets (MTC-31176)
• Fixed an issue to skip restoration when data from tables specified as excluded were included during site backup restoration (MTC-31094)
• Modified to validate requests using the state parameter when obtaining tokens in the GoogleAnalyticsV4 plugin (MTC-31208)
• Fixed an issue where the “Always export all options” checkbox on the export screen was unintentionally unchecked when exporting a theme with overwrite (SUPPORT-770)

Dynamic Publishing

• Fixed an issue where the template tag MTAssetFilePath could not correctly handle pseudo paths such as %r and %a, resulting in incorrect file path output (MTC-31215)

MTRichTextEditor

• Fixed an issue where unnecessary spaces were inserted and displayed when using ruby elements (MTC-31168)
• Fixed to allow removal of p elements inserted before oEmbed objects (MTC-31101)
• Fixed an issue where images were deleted when attempting to set links on images in the Entry editing screen (MTC-31113)
• Fixed an issue where the context toolbar was displayed above modal windows (MTC-31125)
• Fixed behavior where empty div elements were difficult to delete using keyboard operations (MTC-31224)
• Fixed behavior where p elements were added inside empty div elements when saving (MTC-31223)
• Fixed behavior where a elements directly under div elements were wrapped with p elements (MTC-31222)
• Fixed the HTML structure when pasting text including line breaks and other content (MTC-31173)
• Fixed an issue where unintended p elements were inserted when editing text contained in td and th elements (MTC-31291)

Server Sync

• Fixed an issue where delivery restarted after server delivery was interrupted midway (MTC-31106)

Security fixes and improvements

• Fixed an issue where a user without appropriate permissions could proceed with the upgrade process upon signing in while the installed Movable Type or plugins are being upgraded. The behavior can be reverted to the previous state using the RequireUpgradePermission configuration directive (MTC-30699)
• Enhanced escaping processing for variables used in event handler attributes in the Admin screen (MTC-30998)

Updated plugins

• Updated MTRichTextEditor from 1.0.4 to 1.0.5 (MTC-31302)

Acknowledgments

We would like to thank those who reported these vulnerabilities for their contribution to this release. We would also like to thank JPCERT/CC and IPA for their assistance in handling the vulnerability information.

• Makoto Tajima, M-Logic, Inc. (MTC-31118, MTC-31119 / FEEDBACK-2649)
• Shunsuke Okoshi, EVOWORX Co., Ltd. (MTC-31113 / FEEDBACK-2647)

Checksums

• MT-8.8.4.zip SHA1,SHA256
• MTA-8.8.4.zip SHA1,SHA256