MantisBT 2.28.4 released

Maintenance and Security release addressing a critical authentication bypass vulnerability in the SOAP API (CVE-2026-47156) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation issues. This release also fixes a few bugs, including a regression introduced in 2.28.2.

Please refer to the Change Log for complete details. Full public disclosure of the security issues is expected to take place on July 6th.

We would like to thank the researchers who identified, responsibly disclosed and helped us fix the security issues: McCaulay Hudson (_mccaulay) of watchTowr, Keitaro Yamazaki (tyage), Harrison Keating (voraci0us), Chandler Johnson (chndlrx) and Bharat Devasani (bharatdevasani), Vishal Shukla (shukla304), Mamdouh Mahfouz (mamdouhmahfouz), Psalms Christopher Matovu (@byteoverride) and Dracosec Research Limited.

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

Critical Security Issue in MantisBT <= 2.28.3

A critical vulnerability (CVE-2026-47156) has been identified in MantisBT 2.28.3 and earlier releases.

It will be fixed in Version 2.28.4, together with several other security issues, and will be available on Wednesday, July 1st 2026, around 12:00 UTC. Be ready to patch your system right away ! All installations are advised to upgrade as quickly as possible.

Considering the issue’s nature and high severity, we are publishing this advance notice to inform administrators so they can plan ahead and patch their systems before complete details about the issue become available to the general public, in the hope that exposed systems are updated before the vulnerability can be exploited. Full disclosure is expected to take place on July 6th.

We would like to thank McCaulay Hudson of watchTowr for originally identifying and responsibly reporting the issue.

The vulnerability was subsequently discovered by other researchers, while we were working on fixing it and preparing the release. We credit them here, in chronological order of their reports: Keitaro Yamazaki (tyage), Harrison Keating (voraci0us), Chandler Johnson (chndlrx) and Bharat Devasani (bharatdevasani).

MantisBT 2.28.2 released

This is an important security release, addressing over 15 vulnerabilities. It also fixes a few bugs and regression issues, and improves PHP 8.5 compatibility.

Please refer to the Change Log for complete details.

We would like to thank the researchers who identified, responsibly disclosed and helped us fix the security issues: Vishal Shukla (ninjasec), Dracosec Research Limited, Nozomu Sasaki (morimori-dev) and Tang Cheuk Hei (siunam).

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.28.1 Released

Security release addressing:

  • A critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849);
  • Two HTML injection / XSS issues with tag names (CVE-2026-33517 and CVE-2026-33548).

Many thanks to Alexander Philiotis of SynerComm and Vishal Shukla for discovering and responsibly reporting the issues.

A few regression issues introduced in 2.28.0 have been fixed as well. Please refer to the Change Log for complete details.

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

Critical Security Issue in MantisBT <= 2.28.0

A critical vulnerability (CVE-2026-30849) has been identified in MantisBT 2.28.0 and earlier releases, affecting instances running on MySQL and compatible databases.

MantisBT 2.28.1 includes a fix addressing the issue and is available for download since Monday, March 16th 2026. All installations are advised to upgrade immediately.

Considering the issue’s nature and high severity, this advance notice was published early to inform administrators so they can plan ahead and patch their systems before complete details about the issue became available to the general public, in the hope that exposed systems are updated before the vulnerability can be exploited. Full disclosure took place on March 23rd.

We would like to thank Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.