{"id":846,"date":"2026-06-28T14:55:31","date_gmt":"2026-06-28T14:55:31","guid":{"rendered":"https:\/\/mantisbt.org\/blog\/?p=846"},"modified":"2026-06-28T16:34:17","modified_gmt":"2026-06-28T16:34:17","slug":"critical-security-issue-in-mantisbt-2-28-3","status":"publish","type":"post","link":"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/846","title":{"rendered":"Critical Security Issue in MantisBT &lt;=\u00a02.28.3"},"content":{"rendered":"\n<p>A critical vulnerability (CVE-2026-47156) has been identified in MantisBT 2.28.3 and earlier releases.<\/p>\n\n\n\n<p>It will be fixed in <strong>Version 2.28.4<\/strong>, together with several other security issues, and will be available on <strong>Wednesday, July 1<sup>st<\/sup> 2026<\/strong>, around 12:00 UTC. Be ready to patch your system right away ! All installations are advised to upgrade as quickly as possible.<\/p>\n\n\n\n<p>Considering the issue&#8217;s nature and high severity, we are publishing this advance notice to inform administrators so they can plan ahead and patch their systems before complete details about the issue become available to the general public, in the hope that exposed systems are updated before the vulnerability can be exploited. Full disclosure is expected to take place on July 6<sup>th<\/sup>.<\/p>\n\n\n\n<p>We would like to thank <a href=\"https:\/\/x.com\/_mccaulay\">McCaulay Hudson<\/a> of <a href=\"https:\/\/labs.watchtowr.com\">watchTowr<\/a> for originally identifying and responsibly reporting the issue. <\/p>\n\n\n\n<p>The vulnerability was subsequently discovered by other researchers, while we were working on fixing it and preparing the release. We credit them here, in chronological order of their reports: Keitaro Yamazaki (<a href=\"https:\/\/github.com\/tyage\">tyage<\/a>), Harrison Keating (<a href=\"https:\/\/github.com\/voraci0us\">voraci0us<\/a>), Chandler Johnson (<a href=\"https:\/\/github.com\/chndlrx\">chndlrx<\/a>) and Bharat Devasani (<a href=\"https:\/\/github.com\/bharatdevasani\">bharatdevasani<\/a>).<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A critical vulnerability (CVE-2026-47156) has been identified in MantisBT 2.28.3 and earlier releases. It will be fixed in Version 2.28.4, together with several other security issues, and will be available on Wednesday, July 1st 2026, around 12:00 UTC. Be ready to patch your system right away ! All installations are advised to upgrade as quickly &hellip; <a href=\"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/846\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Critical Security Issue in MantisBT &lt;=\u00a02.28.3&#8221;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[11],"class_list":["post-846","post","type-post","status-publish","format-standard","hentry","category-mantisbt","tag-security"],"_links":{"self":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/comments?post=846"}],"version-history":[{"count":2,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/846\/revisions"}],"predecessor-version":[{"id":850,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/846\/revisions\/850"}],"wp:attachment":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/media?parent=846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/categories?post=846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/tags?post=846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}