Five CVEs Disclosed in MantisBT: XSS, Auth Bypass, and Missing Access Controls Patched
Five vulnerabilities, including code execution via XHTML attachments and authorization bypass for private bugnotes, were disclosed in MantisBT on May 28, 2026, all fixed in versions 2.28.2 and 2.28.0.
The open-source issue tracker Mantis Bug Tracker (MantisBT) had five security vulnerabilities disclosed together on May 28, 2026, covering cross-site scripting (XSS), authorization bypass, and missing access control flaws. The batch affects versions ranging from as early as 1.0.0 up to 2.28.1, and all reported issues have been addressed in releases 2.28.2 and 2.28.0.
The most severe of the batch, CVE-2026-44657 (High), allows an attacker to execute code by uploading a crafted XHTML attachment that references a JavaScript attachment. The attack leverages the show_inline=1 parameter on file_download.php together with a valid file_show_inline_token CSRF token. This vulnerability affects all versions prior to 2.28.2, where it has been fixed.
CVE-2026-44655 (High) affects MantisBT versions 1.3.0 through 2.28.1. An unescaped Project Name field allows an attacker who can set it — typically requiring manager or administrator access level — to inject arbitrary HTML into the Move Attachments admin page. The fix was released in version 2.28.2.
CVE-2026-42071 (High) affects versions 2.23.0 through 2.28.1. A missing authorization check in MantisBT's file visibility function allows any authenticated user with at least REPORTER access to download attachments on private bugnotes they should not be able to access. The attack is carried out via the REST API endpoint GET /api/rest/issues/{id}/notes/{note_id}/files/{file_id}. This was fixed in 2.28.2.
CVE-2026-42070 (Medium) affects versions prior to 2.28.2. The mc_issue_update() function allows users who have update_bug_threshold access (UPDATER, by default) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default developer-level restrictions that should prevent such actions. The fix is included in 2.28.2.
CVE-2026-41897 (Medium) affects versions 1.0.0 through 2.28.1. A lack of validation on the filter_target parameter in return_dynamic_filters.php — normally used as an AJAX endpoint on the View Issues Page — allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This was fixed in 2.28.2.
MantisBT project maintainers released version 2.28.2 to address four of the five CVEs (CVE-2026-44657, CVE-2026-44655, CVE-2026-42071, CVE-2026-42070), while CVE-2026-41897 was fixed in the earlier 2.28.0 release. Users running any version below 2.28.2 are advised to upgrade immediately. No in-the-wild exploitation has been reported for any of these CVEs at the time of disclosure.
This batch highlights a recurring theme in mature open-source projects: a mix of longstanding issues (some dating back to version 1.0.0) and newer flaws introduced in recent feature development. For organizations running MantisBT as their primary issue tracker, the authorization bypass in CVE-2026-42071 is particularly concerning, as it allows any authenticated user — not just those with elevated privileges — to exfiltrate private bugnote attachments via the REST API. Administrators should prioritize upgrading to 2.28.2 and review their custom field configurations in light of the HTML injection flaws.