{"id":852,"date":"2026-07-01T12:13:47","date_gmt":"2026-07-01T12:13:47","guid":{"rendered":"https:\/\/mantisbt.org\/blog\/?p=852"},"modified":"2026-07-01T12:13:47","modified_gmt":"2026-07-01T12:13:47","slug":"mantisbt-2-28-4-released","status":"publish","type":"post","link":"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/852","title":{"rendered":"MantisBT 2.28.4 released"},"content":{"rendered":"\n<p>Maintenance and Security release addressing a <strong>critical authentication bypass vulnerability<\/strong> in the SOAP API (CVE-2026-47156) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation issues. This release also fixes a few bugs, including a regression introduced in 2.28.2.<\/p>\n\n\n\n<p>Please refer to the <a href=\"https:\/\/mantisbt.org\/bugs\/changelog_page.php?version_id=384\">Change Log<\/a> for complete details. Full public disclosure of the security issues is expected to take place on July 6<sup>th<\/sup>.<\/p>\n\n\n\n<p>We would like to thank the researchers who identified, responsibly disclosed and helped us fix the security issues: McCaulay Hudson (<a href=\"https:\/\/x.com\/_mccaulay\">_mccaulay<\/a>)  of <a href=\"https:\/\/labs.watchtowr.com\">watchTowr<\/a>, Keitaro Yamazaki (<a href=\"https:\/\/github.com\/tyage\">tyage<\/a>), Harrison Keating (<a href=\"https:\/\/github.com\/voraci0us\">voraci0us<\/a>), Chandler Johnson (<a href=\"https:\/\/github.com\/chndlrx\">chndlrx<\/a>) and Bharat Devasani (<a href=\"https:\/\/github.com\/bharatdevasani\">bharatdevasani<\/a>), Vishal Shukla (<a href=\"https:\/\/github.com\/shukla304\">shukla304<\/a>), Mamdouh Mahfouz (<a href=\"https:\/\/github.com\/mamdouhmahfouz\">mamdouhmahfouz<\/a>), Psalms Christopher Matovu (<a href=\"https:\/\/github.com\/byteoverride\">@byteoverride<\/a>) and\u00a0<a href=\"https:\/\/dracosec.tech\/\">Dracosec Research Limited<\/a>.<\/p>\n\n\n\n<p>All installations are advised to upgrade as soon as possible.<\/p>\n\n\n\n<p>Go ahead and&nbsp;<a href=\"https:\/\/mantisbt.org\/download.php\">download<\/a>&nbsp;the release from our website.<\/p>\n\n\n\n<p>In order to stay up to date with the latest MantisBT news, please star our <a href=\"https:\/\/github.com\/mantisbt\/mantisbt\" target=\"_blank\" rel=\"noreferrer noopener\">GitHub repository<\/a>, join our <a href=\"https:\/\/app.gitter.im\/#\/room\/#mantisbt_mantisbt:gitter.im\" target=\"_blank\" rel=\"noreferrer noopener\">Gitter channel<\/a>, or <a href=\"https:\/\/twitter.com\/mantisbt\" target=\"_blank\" rel=\"noreferrer noopener\">follow us on X<\/a> or <a href=\"https:\/\/phpc.social\/@mantisbt\">Mastodon<\/a> and retweet to spread the word!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Maintenance and Security release addressing a critical authentication bypass vulnerability in the SOAP API (CVE-2026-47156) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation issues. This release also fixes a few bugs, including a regression introduced in 2.28.2. Please refer to the Change Log &hellip; <a href=\"https:\/\/mantisbt.org\/blog\/archives\/mantisbt\/852\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;MantisBT 2.28.4 released&#8221;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,11],"class_list":["post-852","post","type-post","status-publish","format-standard","hentry","category-mantisbt","tag-release","tag-security"],"_links":{"self":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/comments?post=852"}],"version-history":[{"count":1,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/852\/revisions"}],"predecessor-version":[{"id":853,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/posts\/852\/revisions\/853"}],"wp:attachment":[{"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/media?parent=852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/categories?post=852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mantisbt.org\/blog\/wp-json\/wp\/v2\/tags?post=852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}