Maintenance and Security release addressing a critical authentication bypass vulnerability in the SOAP API (CVE-2026-47156) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation issues. This release also fixes a few bugs, including a regression introduced in 2.28.2.
Please refer to the Change Log for complete details. Full public disclosure of the security issues is expected to take place on July 6th.
We would like to thank the researchers who identified, responsibly disclosed and helped us fix the security issues: McCaulay Hudson (_mccaulay) of watchTowr, Keitaro Yamazaki (tyage), Harrison Keating (voraci0us), Chandler Johnson (chndlrx) and Bharat Devasani (bharatdevasani), Vishal Shukla (shukla304), Mamdouh Mahfouz (mamdouhmahfouz), Psalms Christopher Matovu (@byteoverride) and Dracosec Research Limited.
All installations are advised to upgrade as soon as possible.
Go ahead and download the release from our website.
In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!
