A critical vulnerability (CVE-2026-30849) has been identified in MantisBT 2.28.0 and earlier releases, affecting instances running on MySQL and compatible databases.
MantisBT 2.28.1 includes a fix addressing the issue and will be available on Monday, March 16th 2026, around 12:00 UTC. Be ready to patch your system right away ! All installations are advised to upgrade as quickly as possible.
Considering the issue’s nature and high severity, we decided to publish this advance notice to inform administrators so they can plan ahead and patch their systems before complete details about the issue become available to the general public, in the hope that exposed systems are updated before the vulnerability can be exploited. Full disclosure will take place on March 23rd.
We would like to thank to Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.