Medium severityGHSA Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-42070
CVE-2026-42070
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.28.2 | 2.28.2 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-pq86-j2c2-47f6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42070ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435nvdWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6nvdWEB
- mantisbt.org/bugs/view.phpnvdWEB
- mantisbt.org/bugs/view.phpnvdWEB
News mentions
1- MantisBT: Five Bugs Disclosed Together — XSS, Auth Bypass, and Missing Access ControlsVypr Intelligence · May 28, 2026