Not a developer? Go to MovableType.com

MovableType.org
Documentation
Home / Documentation / Appendices Appendix: Release Notes

Movable Type 9.1.0 Release Notes

This version of Movable Type was released February 4, 2026.

This version is an internal release.

New and improved features

  • Simplified the definition of ContentField and reduced dependency on Svelte components (MTC-30601)
  • Enabled specifying version numbers using the version modifier in the MTApp:Script and MTApp:Stylesheet tags (MTC-30989)

MTRichTextEditor Plugin

  • Changed the behavior so that when pasting a URL while text is selected, the pasted URL is applied as a link to the selected text (MTC-30818)
  • Added the beforeGetContent, getContent, and setContent events to enhance extensibility (MTC-30889)
  • Enabled the ruby, rt, and rp elements (MTC-30966)
  • Updated to prioritize the <a> element over other inline elements (MTC-31124)

Resolved issues

  • Modified to fix the thumbnail sizes regardless of the window width in Theme listing screen (MTC-30443)
  • Corrected inconsistencies in the OpenAPI documentation and definitions for the search and stats endpoints of Data API v2/v4 (MTC-30741)
  • Fixed an issue in the Role editing screen where inherited permission checks were not properly deselected automatically (MTC-30843)
  • Fixed a typo of UserThemesDirectory in the source code (MTC-30856)
  • Fixed an issue where writing to the directory specified by the UserTemplatePath Configuration Directive did not work correctly when selecting “Link to a file” in the Template editing screen (MTC-30868)
  • Fixed an issue in the Template Admin screen where “Dashboard Widget” was not hidden when filtering by type using the Quick Filter (MTC-30894)
  • Corrected the title of the Dashboard Widget creation screen to “Create Dashboard Widget” (MTC-30895)
  • Fixed an issue in the ContentData listing screen where actions were applied to items outside the filtered results when a filter was active (MTC-30896)
    Fixed an issue where duplicating a child site containing a ContentType Archive Template or ContentType Listing Archive Template caused the duplicated site to reference the original ContentType (MTC-30902)
  • Fixed an issue in TinyMCE 6 where unnecessary HTML escaping was applied to XHR URLs (MTC-30907)
  • Fixed an issue where the UI for changing the publication status was incorrectly displayed in the ContentData editing screen for users with the “Publish Entry” permission (MTC-30908)
  • Fixed an issue where the “Unpublish” action was not displayed in the ContentData listing screen for users with the “Publish Content Data” permission (MTC-30909)
  • Fixed an issue where users with the “Publish Content Data” permission were unable to change the status when creating new ContentData (MTC-30911)
  • Removed unused variables in the upgrade process (MTC-30913)
  • Fixed an issue where an error occurred in the System > License Confirmation screen when the AdminThemeId Configuration Directive was set to empty (MTC-30958)
  • Fixed an issue where the mt_version_id variable inside templates extending the text editor was overwritten by the plugin version (MTC-30961)
  • Removed unused static files related to the deleted plugin FormattedTextForTinyMCE (MTC-30969)
  • Fixed a compatibility issue when the GrantRoleSitesView Configuration Directive was set to tree (MTC-30971)
  • Changed the default value of allow_nonref in the JSON module to 1 in MT::Util::to_json and MT::Util::from_json (MTC-30979)
  • Fixed an issue in the Role editing screen where the closing position of HTML tags became invalid under certain conditions (MTC-30980)
  • Fixed an issue in the admin2025 Admin screen theme where a JavaScript error occurred when signing in as a user without permission to use Admin screen search (MTC-30987)
  • Reduced the recursion depth in the template rebuilding process to mitigate Deep Recursion errors (MTC-30991)
  • Fixed an issue during MT9 upgrades where non-integer values in boolean columns were not handled as 0 (MTC-30994)

MTBlockEditor Plugin

  • Fixed an issue in dynamic publishing on PHP 8.4 where a warning related to xml_set_object appeared when using the MTBlockEditorBlocks tag (MTC-30841)
  • Fixed an issue in the MTBlockEditor plugin where previews were not displayed for certain services (YouTube, TikTok) when using oEmbed (MTC-30992)
  • Fixed an issue in the ContentType editing screen where script elements used by MTBlockEditor were inserted in an invalid position within the HTML structure (MTC-31053)
  • Fixed an issue where layout settings were not applied in Image blocks when using AssetUploader (MTC-31069)

MTRichTextEditor Plugin

  • Fixed an issue in Safari where Bold formatting could not be removed when IME was enabled (MTC-30862)
  • Fixed an issue where inserting a URL using “Paste as text” still created a link (MTC-30876)
  • Fixed an issue where Quick Actions could fail to insert content correctly when operated via keyboard (MTC-30890)
  • Fixed an issue where previews were not displayed for certain services (YouTube, TikTok) when using oEmbed (MTC-30983)
  • Fixed an issue where the editor did not appear in environments running JSON::XS versions lower than 4.00 (MTC-30976)
  • Fixed an issue where inserting lists using Markdown shortcuts added p elements inside li elements (MTC-31061)
  • Fixed an issue where list formatting could not be removed via keyboard operations (MTC-31062)
  • Fixed an issue where embedded objects such as oEmbed items could not be deleted (MTC-31063)
  • Fixed an issue in Google Chrome where the first character entered when using IME was immediately confirmed without becoming part of the conversion sequence (MTC-31068)
  • Fixed an issue in Safari where input could not be entered correctly into list items or table cells when using IME (MTC-31070)

AssetUploader Plugin

  • Fixed an issue where images inserted into Image custom fields via the AssetUploader plugin were displayed without being resized to the appropriate dimensions (MTC-30973)

Dynamic Publishing

  • Fixed an issue where the MTContentField tag did not function correctly within the MTContents tag (MTC-30888)

Security fixes and improvements

  • Fixed a vulnerability of formula injection in the CSV export. Added the Configuration Directive CSVExportEscapeFormula, which escapes cells beginning with specific characters, and CSVExportWithBOM, which controls whether BOM is included (CVE-2026-24447, MTC-30835)
  • Fixed a cross-site scripting (XSS) vulnerability in the Comment editing screen and in the Theme listing screen (CVE-2026-21393, MTC-31001)
  • Fixed a cross-site scripting (XSS) vulnerability in the Site export feature (MTC CVE-2026-22875, MTC-31002)
  • Fixed a cross-site scripting (XSS) vulnerability in the Entry edit screen (CVE-2026-23704, MTC-31104)

Deprecated features

  • Deprecated the utility function MT::Util::is_valid_url and will be removed in a future release. Use MT::Util::is_url to validate a URL instead in 9.1.0 and later (MTC-31079)

Updated plugins

  • Updated MTRichTextEditor from version 1.0.3 to 1.0.4 (MTC-31007)
  • Updated MTBlockEditor from version 1.3.2 to 1.3.3 (MTC-30999)
  • Updated AssetUploader from version 1.0.2 to 1.0.3 (MTC-31051)

Acknowledgement

We would like to thank all those who have reported bugs and requested features for the release. In particular, we would like to thank the following people individually.

  • IPA and JPCERT/CC for their cooperation in notification and handling of vulnerability information
  • Kentaro Ishii, GMO Cybersecurity by Ierae, Inc. (CVE-2026-21393/MTC-31001, CVE-2026-22875/MTC-31002)
  • Makoto Tajima, M-Logic, Inc. (MTC-30843/FEEDBACK-2628) (MTC-30908, MTC-30909/FEEDBACK-2637)
  • Yujiro Araki (MTC-30896/FEEDBACK-2636)
  • riatw (MTC-30961/FEEDBACK-2642)
  • Seiji Hamagaki (MTC-30966/FEEDBACK-2641)
Back