Tag: security

This is an important security release, addressing over 15 vulnerabilities. It also fixes a few bugs and regression issues, and improves PHP 8.5 compatibility.

Please refer to the Change Log for complete details.

We would like to thank the researchers who identified, responsibly disclosed and helped us fix the security issues: Vishal Shukla (ninjasec), Dracosec Research Limited, Nozomu Sasaki (morimori-dev) and Tang Cheuk Hei (siunam).

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

Security release addressing:

• A critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849);
• Two HTML injection / XSS issues with tag names (CVE-2026-33517 and CVE-2026-33548).

Many thanks to Alexander Philiotis of SynerComm and Vishal Shukla for discovering and responsibly reporting the issues.

A few regression issues introduced in 2.28.0 have been fixed as well. Please refer to the Change Log for complete details.

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

Note that MantisBT 2.27 is only compatible with PHP up to version 8.3. Upcoming 2.28.0 release will bring support for PHP 8.4 and later.

MantisBT 2.27.2

Maintenance and security release addressing 4 vulnerabilities:

• CVE-2025-47776 (GHSA-4v8w-gg5j-ph37): Authentication bypass for some passwords due to PHP type juggling, thanks to Harry Sintonen (@piru) / Reversec
• CVE-2025-46556 (GHSA-r3jf-hm7q-qfw5): Denial-of-Service (DoS) via Excessive Note Length, thanks to Mazen Mahmoud (@TheAmazeng)
• CVE-2025-55155 (GHSA-q747-c74m-69pr): Lack of verification when changing a user’s email address, thanks to Chaitanya Reddy (@ncrcs)
• CVE-2025-62520 (GHSA-g582-8vwr-68h2): Ability to copy private project configurations, thanks to d3vpoo1 

It also includes a score of other bug fixes and improvements. Please refer to the Change Log for details.

All installations are advised to upgrade as soon as possible.

Go ahead and download the release from our website.

In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!

MantisBT 2.26.4

Maintenance and security release addressing an information disclosure vulnerability (CVE-2024-45792) and a regression introduced by 2.26.3 on Manage Projects Page, as well as several bug fixes.

All installations are advised to upgrade as soon as possible.

•  0034640: [security] CVE-2024-45792: Insecure Direct Object References vulnerability with user profiles (dregad)
•  0034634: [other] Non-existing issue number does not throw a 404 in the UI (dregad)
•  0034768: [sub-projects] ‘INTERNAL APPLICATION ERROR’ editing some projects from manage_proj_page.php (atrol)
•  0026672: [api soap] mc_issue_add fails with “Object of class SoapFault could not be converted to int” (dregad)
•  0032557: [bugtracker] Can not set full URL to $g_manual_url in config_inc.php (dregad)
•  0034618: [administration] Disabled projects are not listed on page manage_proj_page.php (dregad)
•  0034682: [bugtracker] Incorrect usage of lang_get_defaulted() for an URL (dregad)
•  0034683: [api rest] REST POST /issues allows creation of Issue when invalid Category is specified (dregad)
•  0034684: [api soap] SOAP API throwing deprecation warning on PHP 8.1 (dregad)