Maintenance and Security release addressing a critical authentication bypass vulnerability in the SOAP API (CVE-2026-47156) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation issues. This release also fixes a few bugs, including a regression introduced in 2.28.2.
Please refer to the Change Log for complete details. Full public disclosure of the security issues took place on July 15th, a week later than initially planned because the CVE assignment process took longer than expected; this is due to the GitHub security advisory team’s heavy workload.
We would like to thank the researchers who identified, responsibly disclosed and helped us fix the security issues: McCaulay Hudson (_mccaulay) of watchTowr, Keitaro Yamazaki (tyage), Harrison Keating (voraci0us), Chandler Johnson (chndlrx) and Bharat Devasani (bharatdevasani), Vishal Shukla (shukla304), Mamdouh Mahfouz (mamdouhmahfouz), Psalms Christopher Matovu (@byteoverride) and Dracosec Research Limited.
All installations are advised to upgrade as soon as possible.
Go ahead and download the release from our website.
In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!
