MantisBT 2.26.2 Released

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.26.2

Security and maintenance release addressing several vulnerabilities (CVE-2024-34077, CVE-2024-34080 and CVE-2024-34081; refer to the corresponding Issues below for details).

It also resolves a few PHP 8.x compatibility issues, as well as a few other bugs.

All installations are strongly advised to upgrade as soon as possible.

  •  0033906[bugtracker] Failed opening core.php in timeline_inc.php on PHP 8.2 / IIS (dregad)
  •  0034008[documentation] MantisGraph: document usage of EVENT_MANTISGRAPH_SUBMENU (dregad)
  •  0034006[code cleanup] MantisGraph: fix deprecated warnings in javascript (dregad)
  •  0034393[html] Incorrect handling of HTML hexadecimal character references &#xNNN; (dregad)
  •  0034439[code cleanup] Deprecated warning when updating Issue with null checkbox Custom Field (dregad)
  •  0034441[excel] Excel error when opening exported issues with custom field with special characters (dregad)
  •  0034435[bugtracker] Issue note links don’t reflect if issue is resolved (vboctor)
  •  0034434[security] CVE-2024-34080: Don’t hyperlink references to notes whose issues are not accessible to user (vboctor)
  •  0034433[security] CVE-2024-34077: Account Takeover in Password Reset and Account Registration Feature (dregad)
  •  0034432[security] CVE-2024-34081: Unsanitised custom field names printed (dregad)
  •  0034417[security] Update corejs-typeahead.js library to 1.3.4 (dregad)
  •  0034410[api rest] REST API error reports incorrect field “version” when updating fixed in / target version with invalid value (dregad)
  •  0034399[other] Internal server error on view_user_page (atrol)
  •  0012956[bugtracker] Target Version does not respect GET or POST value when reporting issue (dregad)
  •  0034404[bugtracker] Proceed button is shown twice when redirecting with pending errors (dregad)
  •  0034359[api rest] REST API: “String not found” warning when adding note with invalid view_state (dregad)
  •  0034348[api rest] Adding issue note with REST API returns HTTP 500 when given view_state is invalid (dregad)
  •  0034018[filters] Filter “assigned to” and “monitor by” shows <br /> between the users when selecting multiple (advanced filtering) (dregad)
  •  0034106[code cleanup] Deprecated creation of dynamic properties in BugData class (dregad)