May 20, 2026
[Security Update] Movable Type 9.0.8, 8.8.4 and 8.0.11 Released
By Daiji Hirata and posted in MT Newsbox.
We have released Movable Type 9.0.8, 8.8.4 and 8.0.11 as of May 20, 2026, and some security fixes included. These releases address several issues found in versions 9.0.7, 8.8.3 and 8.0.10. RELEASED VERSIONS Movable Type 9.0.8 Movable Type Advanced 9.0.8 Movable Type AMI (via AWS Marketplace) 9.0.8 Movable Type 8.8.4 Movable Type Advanced 8.8.4 Movable Type AMI (via AWS Marketplace) 8.8.4 Movable Type 8.0.11 Movable Type Advanced 8.0.11 Movable Type AMI (via AWS Marketplace) 8.0.11 Movable Type 9.2.0 (internal release) RELEASE NOTES Please review the Movable Type release notes to see everything that was added and improved since the version you are currently using. Movable Type 9.0.8 Release Notes Movable Type 8.8.4 Release Notes Movable Type 8.0.11 Release Notes Movable Type 9.2.0 Release Notes (internal release) End of Maintenance Please note the End of Maintenance (EOM) and End of Life (EOL) dates for the following versions: Movable Type 8.0.x: Reached EOM on November 6th, 2024. Security support (EOL) will be provided until November 5th, 2026. For more details on product support periods, please refer to the Movable Type Lifecycle Policy. HOW TO GET MOVABLE TYPE If you have an existing Movable Type license, you can download the latest Movable Type…
Read More
April 8, 2026
[Security Update] Movable Type 9.0.7, 8.8.3 and 8.0.10 Released
By Daiji Hirata and posted in MT Newsbox.
Critical security issues were found and fixed in the Listing Framework of Movable Type. For those of you who use Movable Type 6.0 and later, Six Apart strongly recommends that you upgrade to the latest version or execute one of the following workarounds immediately. Detail of the Issues The Listing Framework, which is used internally by the Admin Panel (mt.cgi) and the Data API (mt-data-api.cgi), contained the following vulnerabilities: Remote Code Execution (RCE) via Filter Processing: A vulnerability was found in the filtering process of the Listing Framework that could allow the execution of arbitrary Perl code (CVE-2026-25776, MTC-31204). SQL Injection via Request Processing: A vulnerability was found in the request processing of the Listing Framework that could allow the execution of arbitrary SQL commands (CVE-2026-33088, MTC-31212). These issues may occur when the Admin Panel or Data API can be accessed from the Internet. Workarounds for those who cannot upgrade to the latest version The following steps can be taken to avoid or reduce the impact of the vulnerability: Restrict access to the Admin Panel (mt.cgi) and Data API (mt-data-api.cgi): Limit access to these scripts to trusted IP addresses only. Disable the Data API: If you are not using the…
Read More
February 4, 2026
[Security Update] Movable Type 9.0.6, 8.8.2 and 8.0.9 Released
By Daiji Hirata and posted in MT Newsbox.
We have released Movable Type 9.0.6, 8.8.2 and 8.0.9 as of February 4, 2026, and some security fixes included. These releases address several issues found in versions 9.0.5, 8.8.1 and 8.0.8….
Read More
