mantisbt - Change Log

mantisbt - 2.28.2

Released 2026-05-09
View Issues2.28.2mantisbt

Important security release, addressing over 15 vulnerabilities; refer to the Change Log for details. We would like to thank the researchers who identified and helped us fix them: Vishal Shukla (@ninjasec), Dracosec Research Limited, Nozomu Sasaki (@morimori-dev) and Tang Cheuk Hei (@siunam). The release also fixes a few bugs and regression issues and improves PHP 8.5 compatibility.

  • 0037011: [security] CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference (dregad)
  • 0036819: [authentication] Secure cookies are rejected by the browser (dregad)
  • 0037024: [administration] Incorrect PHP Supported version Admin Check (dregad)
  • 0037023: [administration] Deprecated error in PHP 8.5 when checking the installation in the admin panel (dregad)
  • 0037022: [tagging] Undefined array key error in tag_bug_get* functions when given an invalid Issue ID (community)
  • 0037019: [ui] User's chosen font overwritten when saving preferences (dregad)
  • 0037010: [tools] Github Actions: deprecated actions warning (dregad)
  • 0037006: [code cleanup] Abort user verification early if given user id is not valid (dregad)
  • 0037005: [bugtracker] user_get_row() does not throw exception when given invalid user id (dregad)
  • 0036995: [security] CVE-2026-34390: Privilege Escalation from Manager to Administrator role per project basis (dregad)
  • 0036991: [security] Improve protection against CSV injection (dregad)
  • 0036974: [security] CVE-2026-33052: Authorization Bypass in Global Profile Creation via account_prof_update.php (dregad)
  • 0036990: [ui] Duplicated layout in View Filters Page when filter is not accessible (dregad)
  • 0036969: [plug-ins] Unknown category error in the MantisGraph plugin. (dregad)
  • 0036987: [csv] csv_escape_string: incorrect result with int/float custom values when csv_injection_protection is active (dregad)
  • 0036986: [security] CVE-2026-34463: Stored HTML Injection/XSS in Clone Issue Form via Unescaped Project Name (dregad)
  • 0036985: [security] CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes (dregad)
  • 0036978: [security] CVE-2026-34970: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked (dregad)
  • 0032998: [administration] Call to undefined function mci_get_project_id() when removing a user from a project (vboctor)
  • 0036975: [security] CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues (dregad)
  • 0036977: [security] CVE-2026-34744: Authorization bypass allows users to read their own attachments after losing access to a private issue (dregad)
  • 0036976: [security] CVE-2026-34754: Authorization Bypass Allows Uploading Attachments to Private Issues via REST (dregad)
  • 0037099: [security] CVE-2026-44655: XSS in move_attachments_page.php (dregad)
  • 0037089: [security] CVE-2026-42070: REST/SOAP mc_issue_update Embedded Note Update Bypasses Note-Level Authorization (dregad)
  • 0037020: [security] CVE-2026-44657: Stored XSS in File Download (dregad)
  • 0037016: [security] CVE-2026-40597: Content Security Policy bypass via attachments (dregad)
  • 0037015: [security] CVE-2026-40607: Stored XSS in Saved-Filter Owner Column (Manager+) (dregad)
  • 0037013: [security] CVE-2026-41897: Reflected XSS in Rendering Dynamic Custom Textarea Field (dregad)
  • 0037017: [security] CVE-2026-40598 : Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page (dregad)
  • 0037003: [security] CVE-2026-39960: Stored XSS in Custom Field Textarea Values (dregad)
30 issues View Issues