End of PHP 7 support

PHP 7.4 reached end-of-life on November 22nd 2022, and it is becoming increasingly difficult for us to maintain compatibility as most libraries and tools stopped supporting it.

Consequently, the upcoming MantisBT release 2.29.0 will drop support for PHP 7.4 and 8.0, increasing the minimum supported version to 8.1.

This follows our customary practice to align our PHP requirements with the version bundled in the oldest available Ubuntu LTS release that is still under standard maintenance, currently 22.04 Jammy Jellyfish.

While official PHP 8.1 support ended on December 31st 2025, the Ubuntu team is committed to maintain it for the lifetime of the 22.04 LTS release. Nevertheless, we recommend running a fully supported PHP version, i.e. 8.4 or later as of this writing.

MantisBT 2.28.1 Released

Security release addressing:

  • A critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849);
  • Two HTML injection / XSS issues with tag names (CVE-2026-33517 and CVE-2026-33548).

Many thanks to Alexander Philiotis of SynerComm and Vishal Shukla for discovering and responsibly reporting the issues.

A few regression issues introduced in 2.28.0 have been fixed as well. Please refer to the Change Log for complete details.

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

Critical Security Issue in MantisBT <= 2.28.0

A critical vulnerability (CVE-2026-30849) has been identified in MantisBT 2.28.0 and earlier releases, affecting instances running on MySQL and compatible databases.

MantisBT 2.28.1 includes a fix addressing the issue and is be available since Monday, March 16th 2026. All installations are advised to upgrade immediately.

Considering the issue’s nature and high severity, this advance notice was published early to inform administrators so they can plan ahead and patch their systems before complete details about the issue became available to the general public, in the hope that exposed systems are updated before the vulnerability can be exploited. Full disclosure took place on March 23rd.

We would like to thank to Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.

MantisBT 2.28.0 Released

This long-awaited release includes nearly 80 enhancements and bug fixes. Here are a few highlights among the many changes, please refer to the Change Log for complete details.

  • Compatibility with PHP 8.4 and 8.5
  • Improved documentation, including an OpenAPI Description for the REST API.
  • Better Tags management
  • Restored included pages functionality (top/bottom_include_page options and triggering of EVENT_LAYOUT_PAGE_HEADER)

Special thanks to Nikolay Raspopov for his significant contribution to this release.

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.27.3 Released

Hotfix release addressing a couple of regression issues affecting Admin Checks introduced by 2.27.2. Please refer to the Change Log for details.

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!