Packagist (Composer) package
mantisbt/mantisbt
pkg:composer/mantisbt/mantisbt
Vulnerabilities (64)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-39960 | Med | 5.4 | < 2.28.2 | 2.28.2 | May 20, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settin | |
| CVE-2026-34970 | Med | — | < 2.28.2 | 2.28.2 | May 20, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2. | |
| CVE-2026-34754 | Med | 4.3 | < 2.28.2 | 2.28.2 | May 20, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2. | |
| CVE-2026-34744 | Med | — | < 2.28.2 | 2.28.2 | May 19, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality cau | |
| CVE-2026-34579 | Med | — | >= 2.26.1, < 2.28.2 | 2.28.2 | May 19, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves | |
| CVE-2026-34463 | Hig | — | < 2.28.2 | 2.28.2 | May 19, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before t | |
| CVE-2026-34390 | Med | — | < 2.28.2 | 2.28.2 | May 19, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access leve | |
| CVE-2026-44657 | hig | — | < 2.28.2 | 2.28.2 | May 11, 2026 | Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. ### Impact Cross-site scripting ### Patches - 26647b2e68ba30b9d7987d4e | |
| CVE-2026-44655 | hig | — | >= 1.3.0, < 2.28.2 | 2.28.2 | May 11, 2026 | Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. ### Impact Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts e | |
| CVE-2026-42071 | hig | — | >= 2.23.0, < 2.28.2 | 2.28.2 | May 11, 2026 | A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment | |
| CVE-2026-42070 | — | < 2.28.2 | 2.28.2 | May 11, 2026 | The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required | ||
| CVE-2026-41897 | — | >= 1.0.0, < 2.28.2 | 2.28.2 | May 11, 2026 | Lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. ### Impact Cross-site scripting (XSS) ### Patches - c885af13f0b859671 | ||
| CVE-2026-40607 | hig | — | >= 2.1.0, < 2.28.2 | 2.28.2 | May 11, 2026 | Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. ### Impact Cross-site scripting (XSS). Note that By default, only users with *Manager* access level or above can save their filters publicly ## | |
| CVE-2026-40598 | — | < 2.28.2 | 2.28.2 | May 11, 2026 | Improper escaping of the redirection page (retrieved from the request's *Referer* header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could p | ||
| CVE-2026-40597 | hig | — | < 2.28.2 | 2.28.2 | May 11, 2026 | Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's _script-src_ directive by uploading a crafted attachment to any issue that, when accessed via the _file_download.php_ link, will be downloaded with a valid JavaScript M | |
| CVE-2026-40596 | hig | — | >= 2.11.0, < 2.28.2 | 2.28.2 | May 11, 2026 | Any authenticated user can inject arbitrary HTML via updating their account's font family. ### Impact Cross-site scripting. The injected payload will be reflected in every MantisBT page. Leveraging another vulnerability (CSP bypass, see [GHSA-9c3j-xm6v-j7j3](https://github.com/ | |
| CVE-2026-33548 | — | >= 2.28.0, < 2.28.2 | 2.28.2 | Mar 23, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when di | ||
| CVE-2026-33517 | — | >= 2.28.0, < 2.28.1 | 2.28.1 | Mar 23, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbit | ||
| CVE-2026-30849 | — | < 2.28.1 | 2.28.1 | Mar 23, 2026 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database bac | ||
| CVE-2025-62520 | — | < 2.27.2 | 2.27.2 | Nov 4, 2025 | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private |
- affected < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settin
- affected < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2.
- affected < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.
- affected < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality cau
- affected >= 2.26.1, < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves
- affected < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before t
- affected < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access leve
- affected < 2.28.2fixed 2.28.2
Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. ### Impact Cross-site scripting ### Patches - 26647b2e68ba30b9d7987d4e
- affected >= 1.3.0, < 2.28.2fixed 2.28.2
Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. ### Impact Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts e
- affected >= 2.23.0, < 2.28.2fixed 2.28.2
A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment
- CVE-2026-42070May 11, 2026affected < 2.28.2fixed 2.28.2
The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required
- CVE-2026-41897May 11, 2026affected >= 1.0.0, < 2.28.2fixed 2.28.2
Lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. ### Impact Cross-site scripting (XSS) ### Patches - c885af13f0b859671
- affected >= 2.1.0, < 2.28.2fixed 2.28.2
Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. ### Impact Cross-site scripting (XSS). Note that By default, only users with *Manager* access level or above can save their filters publicly ##
- CVE-2026-40598May 11, 2026affected < 2.28.2fixed 2.28.2
Improper escaping of the redirection page (retrieved from the request's *Referer* header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could p
- affected < 2.28.2fixed 2.28.2
Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's _script-src_ directive by uploading a crafted attachment to any issue that, when accessed via the _file_download.php_ link, will be downloaded with a valid JavaScript M
- affected >= 2.11.0, < 2.28.2fixed 2.28.2
Any authenticated user can inject arbitrary HTML via updating their account's font family. ### Impact Cross-site scripting. The injected payload will be reflected in every MantisBT page. Leveraging another vulnerability (CSP bypass, see [GHSA-9c3j-xm6v-j7j3](https://github.com/
- CVE-2026-33548Mar 23, 2026affected >= 2.28.0, < 2.28.2fixed 2.28.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when di
- CVE-2026-33517Mar 23, 2026affected >= 2.28.0, < 2.28.1fixed 2.28.1
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbit
- CVE-2026-30849Mar 23, 2026affected < 2.28.1fixed 2.28.1
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database bac
- CVE-2025-62520Nov 4, 2025affected < 2.27.2fixed 2.27.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private
Page 1 of 4