Not a developer? Go to MovableType.com

MovableType.org
Documentation
Home / Documentation / Appendices Appendix: Release Notes

Movable Type 9.0.6 Release Notes

This version of Movable Type was released February 4, 2026.

This release addresses issues found in Movable Type 9.0.5.

New and improved features

  • Enabled specifying version numbers using the version modifier in the MTApp:Script and MTApp:Stylesheet tags (MTC-30989)

MTRichTextEditor Plugin

  • Changed the behaviorit so that when pasting a URL while text is selected, it is set as a link to that text (MTC-30818)
  • Added the beforeGetContent, getContent, and setContent events to enhance extensibility (MTC-30889)
  • Enabled the use of the ruby, rt, and rp elements (MTC-30966)
  • Updated to prioritize the <a> element over other inline elements (MTC-31124)

Resolved issues

  • Fixed an issue in the Role editing screen where inherited permission checks were not automatically deselected correctly (MTC-30843)
  • Fixed an issue where writing to the directory specified by the UserTemplatePath Configuration Directive was not performed correctly when selecting “Link to a file” in the Template editing screen (MTC-30868)
  • Fixed an issue in the Template listing screen where “Dashboard Widget” was not hidden when filtering by type using the Quick Filter (MTC-30894)
  • Corrected the title in the Dashboard Widget creation screen to “Create Dashboard Widget” (MTC-30895)
  • Fixed an issue in the ContentData list screen where actions were applied to items outside the filtered results when executing an action after applying a filter (MTC-30896)
  • Fixed an issue where duplicating a child site containing a ContentType Archive Template or ContentType Listing Archive Template caused the duplicated site to reference the original site’s ContentType (MTC-30902)
  • Fixed an issue in TinyMCE 6 where unnecessary HTML escaping was applied to XHR URLs (MTC-30907)
  • Fixed an issue where the publish-status change UI was incorrectly displayed in the ContentData edit screen for users who had the “Publish Entriesy” permission (MTC-30908)
  • Fixed an issue where the “Unpublish” action was not displayed in the ContentData list screen for users who had the “Publish ContentData” permission (MTC-30909)
  • Fixed an issue where users who had the “Publish ContentData” permission could not change the status when creating new ContentData (MTC-30911)
  • Fixed an issue where setting the Configuration Directive AdminThemeId to an empty value caused an error to occur in the System > License Verification screen (MTC-30958)
  • Fixed an issue where the variable mt_version_id inside templates that extend the text editor was overwritten by the plugin version (MTC-30961)
  • Fixed a compatibility issue that occurred when setting the Configuration Directive GrantRoleSitesView to tree (MTC-30971)
  • Changed the default value of allow_nonref in the JSON module to 1 for MT::Util::to_json and MT::Util::from_json (MTC-30979)
  • Fixed an issue in the role edit screen where HTML tag closing positions became invalid under certain conditions (MTC-30980)
  • Fixed an issue in the admin2025 Admin screen theme where a JavaScript error occurred when signing in as a user without permission to use Admin screen search (MTC-30987)

MTBlockEditor Plugin

  • Fixed an issue in dynamic publishing on PHP 8.4 where a warning related to xml_set_object was displayed when using the MTBlockEditorBlocks tag (MTC-30841)
  • Fixed an issue where previews were not displayed for certain services (YouTube, TikTok) when using oEmbed (MTC-30992)
  • Fixed an issue in the ContentType edit screen where the script element used by MTBlockEditor was inserted in an invalid position within the HTML structure (MTC-31053)
  • Fixed an issue where placement settings were not applied in Image blocks when using AssetUploader (MTC-31069)

MTRichTextEditor Plugin

  • Fixed an issue in Safari where disabling Bold while IME was active did not remove the bold styling from subsequently entered characters (MTC-30862)
  • Fixed an issue where URLs were inserted as links even when selecting “Paste as text” (MTC-30876)
  • Fixed an issue where insert actions in Quick Actions were not correctly performed when using keyboard operations (MTC-30890)
  • Fixed an issue where previews were not displayed for certain services (YouTube, TikTok) when using oEmbed (MTC-30983)
  • Fixed an issue where the editor did not appear in environments running JSON::XS versions lower than 4.00 (MTC-30976)
  • Fixed an issue where inserting a list using Markdown shortcuts added a p element inside the li element (MTC-31061)
  • Fixed an issue where bulleted lists could not be removed using keyboard operations (MTC-31062)
  • Fixed an issue where embedded objects such as oEmbed could not be deleted (MTC-31063)
  • Fixed an issue in Google Chrome where the first character typed with IME enabled was finalized without being subject to conversion (MTC-31068)
  • Fixed an issue in Safari where input could not be entered correctly into list items or table cells when using IME (MTC-31070)

AssetUploader Plugin

  • Fixed an issue in Image custom fields where images inserted via AssetUploader were displayed without being resized to the appropriate dimensions (MTC-30973)

Dynamic Publishing

  • Fixed an issue where MTContentField did not function correctly within the MTContents tag (MTC-30888)

Security fixes and improvements

  • Implemented protections against formula injection in CSV file exports. Added the Configuration Directive CSVExportEscapeFormula, which escapes cells beginning with specific characters, and the Configuration Directive CSVExportWithBOM, which controls whether a BOM is included (CVE-2026-24447, MTC-30835)
  • Fixed cross-site scripting (XSS) vulnerabilities in the comment edit screen and the Theme list screen (CVE-2026-21393, MTC-31001)
  • Fixed a cross-site scripting (XSS) vulnerability in the site export feature (MTC CVE-2026-22875, MTC-31002)
  • Fixed a cross-site scripting (XSS) vulnerability in the Entry edit screen (CVE-2026-23704, MTC-31104)

Deprecated features

  • Removed translation files for European languages in the cloud edition (AMI Edition) (MTC-30669)

Updated plugins

  • Updated MTRichTextEditor from version 1.0.3 to 1.0.4 (MTC-31007)
  • Updated MTBlockEditor from version 1.3.2 to 1.3.3 (MTC-30999)
  • Updated AssetUploader from version 1.0.2 to 1.0.3 (MTC-31051)

Acknowledgement

We would like to thank all those who have reported bugs and requested features for the release. In particular, we would like to thank the following people individually.

  • IPA and JPCERT/CC for their cooperation in notification and handling of vulnerability information
  • Kentaro Ishii, GMO Cybersecurity by Ierae, Inc. (CVE-2026-21393/MTC-31001, CVE-2026-22875/MTC-31002)
  • Makoto Tajima, M-Logic, Inc. (MTC-30843/FEEDBACK-2628) (MTC-30908, MTC-30909/FEEDBACK-2637)
  • Yujiro Araki (MTC-30896/FEEDBACK-2636)
  • riatw (MTC-30961/FEEDBACK-2642)
  • Seiji Hamagaki (MTC-30966/FEEDBACK-2641)

Checksums

Back