mantisbt - Change Log
Released 2026-03-16
Maintenance and security release addressing a critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849, thanks to Alexander Philiotis of SynerComm) and two HTML injection / XSS issues with tag names (CVE-2026-33517 and CVE-2026-33548, credits to Vishal Shukla). The release also fixes a few bugs including regression issues introduced in 2.28.0.
- 0036818: [api soap] Call to undefined function date_timestamp_to_iso8601() (dregad)
- 0036971: [security] CVE-2026-33517: Stored HTML Injection / XSS in Tag Delete Confirmation via Unescaped Tag Name (dregad)
- 0036973: [security] CVE-2026-33548: Stored HTML Injection / XSS in my_view_page.php Timeline via Unescaped Historic Tag Name (dregad)
- 0036902: [security] CVE-2026-30849: Authentication bypass vulnerability in the SOAP API (dregad)
- 0036810: [bugtracker] Accessing bug_report_page.php (and other pages) anonymously results in blank page (dregad)
- 0036855: [bugtracker] Application error on bug_relationship_graph.php page (community)
- 0036860: [tools] Update PHPUnit to 9.6.34 (dregad)
- 0036823: [email] Update PHPMailer to 7.0.2 (dregad)
- 0036972: [localization] Invalid use of {{GENDER:*}} tag in French language strings (dregad)
9 issues View Issues
