Search criteria
274 vulnerabilities found for mantisBT by mantisBT
CVE-2026-44657 (GCVE-0-2026-44657)
Vulnerability from nvd – Published: 2026-05-28 20:25 – Updated: 2026-05-29 14:50
VLAI
Title
MantisBT: Stored XSS in File Download
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/26647… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37020 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T14:49:46.365542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:50:03.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:25:26.816Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8"
},
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37020",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37020"
}
],
"source": {
"advisory": "GHSA-p6fr-rxq7-xcg8",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Stored XSS in File Download"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44657",
"datePublished": "2026-05-28T20:25:26.816Z",
"dateReserved": "2026-05-07T16:20:08.658Z",
"dateUpdated": "2026-05-29T14:50:03.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44655 (GCVE-0-2026-44655)
Vulnerability from nvd – Published: 2026-05-28 20:27 – Updated: 2026-05-29 19:12
VLAI
Title
MantisBT: Stored XSS on Move Attachments Admin Page
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/5cb4b… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:11:59.299415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:12:11.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:27:02.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa"
}
],
"source": {
"advisory": "GHSA-7mqj-8gj2-cg59",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Stored XSS on Move Attachments Admin Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44655",
"datePublished": "2026-05-28T20:27:02.724Z",
"dateReserved": "2026-05-07T15:30:10.876Z",
"dateUpdated": "2026-05-29T19:12:11.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42071 (GCVE-0-2026-42071)
Vulnerability from nvd – Published: 2026-05-28 20:29 – Updated: 2026-05-29 13:56
VLAI
Title
MantisBT: Private Bugnote Attachment Content Leak via REST API
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/029d9… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=27039 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36985 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37092 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T13:56:42.128313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T13:56:52.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT\u0027s file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:29:20.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=27039",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=27039"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36985",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36985"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37092",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37092"
}
],
"source": {
"advisory": "GHSA-pw5x-2mf9-3xc8",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Private Bugnote Attachment Content Leak via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42071",
"datePublished": "2026-05-28T20:29:20.361Z",
"dateReserved": "2026-04-23T19:17:30.564Z",
"dateUpdated": "2026-05-29T13:56:52.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42070 (GCVE-0-2026-42070)
Vulnerability from nvd – Published: 2026-05-28 20:28 – Updated: 2026-06-02 13:50
VLAI
Title
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/6e58f… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37089 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37093 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T13:49:49.743403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:50:27.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users \u2014 bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:28:20.369Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37089",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37089"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37093",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37093"
}
],
"source": {
"advisory": "GHSA-pq86-j2c2-47f6",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42070",
"datePublished": "2026-05-28T20:28:20.369Z",
"dateReserved": "2026-04-23T19:17:30.564Z",
"dateUpdated": "2026-06-02T13:50:27.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41897 (GCVE-0-2026-41897)
Vulnerability from nvd – Published: 2026-05-28 20:26 – Updated: 2026-05-30 02:15
VLAI
Title
MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/c885a… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37013 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-30T02:15:10.845253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T02:15:20.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:26:24.192Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37013",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37013"
}
],
"source": {
"advisory": "GHSA-j7v9-f46r-2rp4",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41897",
"datePublished": "2026-05-28T20:26:24.192Z",
"dateReserved": "2026-04-22T15:11:54.672Z",
"dateUpdated": "2026-05-30T02:15:20.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39960 (GCVE-0-2026-39960)
Vulnerability from nvd – Published: 2026-05-20 21:11 – Updated: 2026-05-21 13:30
VLAI
Title
MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/5fec0… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:29:35.775357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:30:07.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field\u0027s contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T21:11:02.341Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7"
}
],
"source": {
"advisory": "GHSA-qj6w-v29q-4rgx",
"discovery": "UNKNOWN"
},
"title": "MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39960",
"datePublished": "2026-05-20T21:11:02.341Z",
"dateReserved": "2026-04-07T22:40:33.822Z",
"dateUpdated": "2026-05-21T13:30:07.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34970 (GCVE-0-2026-34970)
Vulnerability from nvd – Published: 2026-05-19 23:17 – Updated: 2026-05-20 13:04
VLAI
Title
MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/71df1… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36978 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34970",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:04:45.120015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:04:48.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36978"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note\u0027s Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T23:17:59.549Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36978",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36978"
}
],
"source": {
"advisory": "GHSA-crmx-4p49-46m2",
"discovery": "UNKNOWN"
},
"title": "MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34970",
"datePublished": "2026-05-19T23:17:59.549Z",
"dateReserved": "2026-03-31T19:38:31.616Z",
"dateUpdated": "2026-05-20T13:04:48.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34754 (GCVE-0-2026-34754)
Vulnerability from nvd – Published: 2026-05-19 23:05 – Updated: 2026-05-20 15:09
VLAI
Title
MantisBT allows unauthorized users to upload attachments to restricted issues via REST API
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/b262b… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36976 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:07:20.317286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:09:04.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T23:05:27.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36976",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36976"
}
],
"source": {
"advisory": "GHSA-h4x5-gvx6-3rwc",
"discovery": "UNKNOWN"
},
"title": "MantisBT allows unauthorized users to upload attachments to restricted issues via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34754",
"datePublished": "2026-05-19T23:05:27.818Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-05-20T15:09:04.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34744 (GCVE-0-2026-34744)
Vulnerability from nvd – Published: 2026-05-19 22:45 – Updated: 2026-05-20 17:19
VLAI
Title
MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/de7bd… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36977 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T17:19:00.457408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:19:23.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:45:35.012Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36977",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36977"
}
],
"source": {
"advisory": "GHSA-rmp5-5jj7-gmvf",
"discovery": "UNKNOWN"
},
"title": "MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34744",
"datePublished": "2026-05-19T22:45:35.012Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-05-20T17:19:23.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34579 (GCVE-0-2026-34579)
Vulnerability from nvd – Published: 2026-05-19 22:06 – Updated: 2026-05-20 15:45
VLAI
Title
MantisBT has an authorization bypass via private issue monitoring
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/0a932… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36975 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:25:53.765282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:45:51.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue\u0027s metadata and content. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:06:26.798Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36975",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36975"
}
],
"source": {
"advisory": "GHSA-ggw7-9675-6v4v",
"discovery": "UNKNOWN"
},
"title": "MantisBT has an authorization bypass via private issue monitoring"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34579",
"datePublished": "2026-05-19T22:06:26.798Z",
"dateReserved": "2026-03-30T16:56:30.998Z",
"dateUpdated": "2026-05-20T15:45:51.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34463 (GCVE-0-2026-34463)
Vulnerability from nvd – Published: 2026-05-19 21:57 – Updated: 2026-05-20 13:36
VLAI
Title
MantisBT has Stored HTML Injection/XSS via Clone Issue Form
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/df226… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36986 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:36:36.270656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:36:45.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project\u0027s name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T21:57:49.015Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36986",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36986"
}
],
"source": {
"advisory": "GHSA-fvjf-68wh-rwp2",
"discovery": "UNKNOWN"
},
"title": "MantisBT has Stored HTML Injection/XSS via Clone Issue Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34463",
"datePublished": "2026-05-19T21:57:49.015Z",
"dateReserved": "2026-03-27T18:18:14.896Z",
"dateUpdated": "2026-05-20T13:36:45.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34390 (GCVE-0-2026-34390)
Vulnerability from nvd – Published: 2026-05-19 21:54 – Updated: 2026-05-20 13:05
VLAI
Title
MantisBT: Privilege Escalation from Manager to Administrator
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/69e01… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36995 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37002 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34390",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:05:44.018367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:05:47.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36995"
},
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=37002"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor\u0027s own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T21:54:26.043Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36995",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36995"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37002",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37002"
}
],
"source": {
"advisory": "GHSA-frf7-jhp9-jxm6",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Privilege Escalation from Manager to Administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34390",
"datePublished": "2026-05-19T21:54:26.043Z",
"dateReserved": "2026-03-27T13:45:29.619Z",
"dateUpdated": "2026-05-20T13:05:47.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33052 (GCVE-0-2026-33052)
Vulnerability from nvd – Published: 2026-05-19 00:29 – Updated: 2026-05-19 12:46
VLAI
Title
MantisBT: Authorization Bypass in Global Profile Creation
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/3f952… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36974 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:46:22.931158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:46:26.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36974"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.28.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the \"add_profile_threshold\" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T00:29:05.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36974",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36974"
}
],
"source": {
"advisory": "GHSA-68w5-w573-q2r8",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Authorization Bypass in Global Profile Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33052",
"datePublished": "2026-05-19T00:29:05.220Z",
"dateReserved": "2026-03-17T18:10:50.212Z",
"dateUpdated": "2026-05-19T12:46:26.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42071 (GCVE-0-2026-42071)
Vulnerability from cvelistv5 – Published: 2026-05-28 20:29 – Updated: 2026-05-29 13:56
VLAI
Title
MantisBT: Private Bugnote Attachment Content Leak via REST API
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/029d9… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=27039 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36985 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37092 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42071",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T13:56:42.128313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T13:56:52.065Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT\u0027s file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:29:20.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=27039",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=27039"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36985",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36985"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37092",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37092"
}
],
"source": {
"advisory": "GHSA-pw5x-2mf9-3xc8",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Private Bugnote Attachment Content Leak via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42071",
"datePublished": "2026-05-28T20:29:20.361Z",
"dateReserved": "2026-04-23T19:17:30.564Z",
"dateUpdated": "2026-05-29T13:56:52.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42070 (GCVE-0-2026-42070)
Vulnerability from cvelistv5 – Published: 2026-05-28 20:28 – Updated: 2026-06-02 13:50
VLAI
Title
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/6e58f… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37089 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37093 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T13:49:49.743403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T13:50:27.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users \u2014 bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:28:20.369Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37089",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37089"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37093",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37093"
}
],
"source": {
"advisory": "GHSA-pq86-j2c2-47f6",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42070",
"datePublished": "2026-05-28T20:28:20.369Z",
"dateReserved": "2026-04-23T19:17:30.564Z",
"dateUpdated": "2026-06-02T13:50:27.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44655 (GCVE-0-2026-44655)
Vulnerability from cvelistv5 – Published: 2026-05-28 20:27 – Updated: 2026-05-29 19:12
VLAI
Title
MantisBT: Stored XSS on Move Attachments Admin Page
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/5cb4b… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:11:59.299415Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:12:11.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:27:02.724Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa"
}
],
"source": {
"advisory": "GHSA-7mqj-8gj2-cg59",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Stored XSS on Move Attachments Admin Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44655",
"datePublished": "2026-05-28T20:27:02.724Z",
"dateReserved": "2026-05-07T15:30:10.876Z",
"dateUpdated": "2026-05-29T19:12:11.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41897 (GCVE-0-2026-41897)
Vulnerability from cvelistv5 – Published: 2026-05-28 20:26 – Updated: 2026-05-30 02:15
VLAI
Title
MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/c885a… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37013 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-30T02:15:10.845253Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T02:15:20.499Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:26:24.192Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37013",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37013"
}
],
"source": {
"advisory": "GHSA-j7v9-f46r-2rp4",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41897",
"datePublished": "2026-05-28T20:26:24.192Z",
"dateReserved": "2026-04-22T15:11:54.672Z",
"dateUpdated": "2026-05-30T02:15:20.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44657 (GCVE-0-2026-44657)
Vulnerability from cvelistv5 – Published: 2026-05-28 20:25 – Updated: 2026-05-29 14:50
VLAI
Title
MantisBT: Stored XSS in File Download
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/26647… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37020 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T14:49:46.365542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:50:03.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T20:25:26.816Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8"
},
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37020",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37020"
}
],
"source": {
"advisory": "GHSA-p6fr-rxq7-xcg8",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Stored XSS in File Download"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44657",
"datePublished": "2026-05-28T20:25:26.816Z",
"dateReserved": "2026-05-07T16:20:08.658Z",
"dateUpdated": "2026-05-29T14:50:03.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40607 (GCVE-0-2026-40607)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:39 – Updated: 2026-05-26 18:51
VLAI
Title
MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/44f49… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37015 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40607",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T18:51:03.130533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T18:51:17.022Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter\u0027s owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users\u0027 real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:39:13.817Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37015",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37015"
}
],
"source": {
"advisory": "GHSA-f633-865q-2mhh",
"discovery": "UNKNOWN"
},
"title": "MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40607",
"datePublished": "2026-05-22T19:39:13.817Z",
"dateReserved": "2026-04-14T14:07:59.642Z",
"dateUpdated": "2026-05-26T18:51:17.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40598 (GCVE-0-2026-40598)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:32 – Updated: 2026-05-23 02:41
VLAI
Title
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request's Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/b1ebc… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37017 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40598",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-23T02:39:01.073614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-23T02:41:23.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=37017"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request\u0027s Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:32:35.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37017",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37017"
}
],
"source": {
"advisory": "GHSA-6jh4-47v2-4g37",
"discovery": "UNKNOWN"
},
"title": "MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40598",
"datePublished": "2026-05-22T19:32:35.535Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-05-23T02:41:23.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40597 (GCVE-0-2026-40597)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:29 – Updated: 2026-05-26 19:06
VLAI
Title
MantisBT has a Content Security Policy bypass via attachments
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/9e3be… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37016 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T19:05:54.812787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T19:06:00.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy\u0027s script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a \u003cscript\u003e tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358: Improperly Implemented Security Check for Standard",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:29:46.728Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37016",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37016"
}
],
"source": {
"advisory": "GHSA-9c3j-xm6v-j7j3",
"discovery": "UNKNOWN"
},
"title": "MantisBT has a Content Security Policy bypass via attachments"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40597",
"datePublished": "2026-05-22T19:29:46.728Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-05-26T19:06:00.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40596 (GCVE-0-2026-40596)
Vulnerability from cvelistv5 – Published: 2026-05-22 19:25 – Updated: 2026-05-22 20:10
VLAI
Title
MantisBT is vulnerable to XSS and potential account takeover via user font family preference update
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_MISC |
| https://github.com/mantisbt/mantisbt/commit/9e840… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37011 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37016 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T20:10:08.492596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T20:10:16.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.11.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account\u0027s font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T19:25:32.812Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j"
},
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37011",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37011"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37016",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37016"
}
],
"source": {
"advisory": "GHSA-j3v9-553h-x28j",
"discovery": "UNKNOWN"
},
"title": "MantisBT is vulnerable to XSS and potential account takeover via user font family preference update"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40596",
"datePublished": "2026-05-22T19:25:32.812Z",
"dateReserved": "2026-04-14T14:07:59.641Z",
"dateUpdated": "2026-05-22T20:10:16.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39960 (GCVE-0-2026-39960)
Vulnerability from cvelistv5 – Published: 2026-05-20 21:11 – Updated: 2026-05-21 13:30
VLAI
Title
MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/5fec0… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:29:35.775357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:30:07.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field\u0027s contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T21:11:02.341Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7"
}
],
"source": {
"advisory": "GHSA-qj6w-v29q-4rgx",
"discovery": "UNKNOWN"
},
"title": "MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39960",
"datePublished": "2026-05-20T21:11:02.341Z",
"dateReserved": "2026-04-07T22:40:33.822Z",
"dateUpdated": "2026-05-21T13:30:07.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34970 (GCVE-0-2026-34970)
Vulnerability from cvelistv5 – Published: 2026-05-19 23:17 – Updated: 2026-05-20 13:04
VLAI
Title
MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/71df1… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36978 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34970",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:04:45.120015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:04:48.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36978"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note\u0027s Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T23:17:59.549Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36978",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36978"
}
],
"source": {
"advisory": "GHSA-crmx-4p49-46m2",
"discovery": "UNKNOWN"
},
"title": "MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34970",
"datePublished": "2026-05-19T23:17:59.549Z",
"dateReserved": "2026-03-31T19:38:31.616Z",
"dateUpdated": "2026-05-20T13:04:48.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34754 (GCVE-0-2026-34754)
Vulnerability from cvelistv5 – Published: 2026-05-19 23:05 – Updated: 2026-05-20 15:09
VLAI
Title
MantisBT allows unauthorized users to upload attachments to restricted issues via REST API
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/b262b… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36976 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:07:20.317286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:09:04.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T23:05:27.818Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36976",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36976"
}
],
"source": {
"advisory": "GHSA-h4x5-gvx6-3rwc",
"discovery": "UNKNOWN"
},
"title": "MantisBT allows unauthorized users to upload attachments to restricted issues via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34754",
"datePublished": "2026-05-19T23:05:27.818Z",
"dateReserved": "2026-03-30T19:17:10.225Z",
"dateUpdated": "2026-05-20T15:09:04.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34744 (GCVE-0-2026-34744)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:45 – Updated: 2026-05-20 17:19
VLAI
Title
MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/de7bd… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36977 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T17:19:00.457408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T17:19:23.248Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:45:35.012Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36977",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36977"
}
],
"source": {
"advisory": "GHSA-rmp5-5jj7-gmvf",
"discovery": "UNKNOWN"
},
"title": "MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34744",
"datePublished": "2026-05-19T22:45:35.012Z",
"dateReserved": "2026-03-30T19:17:10.224Z",
"dateUpdated": "2026-05-20T17:19:23.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34579 (GCVE-0-2026-34579)
Vulnerability from cvelistv5 – Published: 2026-05-19 22:06 – Updated: 2026-05-20 15:45
VLAI
Title
MantisBT has an authorization bypass via private issue monitoring
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/0a932… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36975 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:25:53.765282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:45:51.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue\u0027s metadata and content. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T22:06:26.798Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36975",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36975"
}
],
"source": {
"advisory": "GHSA-ggw7-9675-6v4v",
"discovery": "UNKNOWN"
},
"title": "MantisBT has an authorization bypass via private issue monitoring"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34579",
"datePublished": "2026-05-19T22:06:26.798Z",
"dateReserved": "2026-03-30T16:56:30.998Z",
"dateUpdated": "2026-05-20T15:45:51.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34463 (GCVE-0-2026-34463)
Vulnerability from cvelistv5 – Published: 2026-05-19 21:57 – Updated: 2026-05-20 13:36
VLAI
Title
MantisBT has Stored HTML Injection/XSS via Clone Issue Form
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/df226… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36986 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:36:36.270656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:36:45.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project\u0027s name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T21:57:49.015Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36986",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36986"
}
],
"source": {
"advisory": "GHSA-fvjf-68wh-rwp2",
"discovery": "UNKNOWN"
},
"title": "MantisBT has Stored HTML Injection/XSS via Clone Issue Form"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34463",
"datePublished": "2026-05-19T21:57:49.015Z",
"dateReserved": "2026-03-27T18:18:14.896Z",
"dateUpdated": "2026-05-20T13:36:45.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34390 (GCVE-0-2026-34390)
Vulnerability from cvelistv5 – Published: 2026-05-19 21:54 – Updated: 2026-05-20 13:05
VLAI
Title
MantisBT: Privilege Escalation from Manager to Administrator
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/69e01… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36995 | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=37002 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34390",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:05:44.018367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:05:47.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36995"
},
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=37002"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor\u0027s own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T21:54:26.043Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36995",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36995"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=37002",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=37002"
}
],
"source": {
"advisory": "GHSA-frf7-jhp9-jxm6",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Privilege Escalation from Manager to Administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34390",
"datePublished": "2026-05-19T21:54:26.043Z",
"dateReserved": "2026-03-27T13:45:29.619Z",
"dateUpdated": "2026-05-20T13:05:47.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33052 (GCVE-0-2026-33052)
Vulnerability from cvelistv5 – Published: 2026-05-19 00:29 – Updated: 2026-05-19 12:46
VLAI
Title
MantisBT: Authorization Bypass in Global Profile Creation
Summary
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mantisbt/mantisbt/security/adv… | x_refsource_CONFIRM |
| https://github.com/mantisbt/mantisbt/commit/3f952… | x_refsource_MISC |
| https://mantisbt.org/bugs/view.php?id=36974 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33052",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:46:22.931158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:46:26.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://mantisbt.org/bugs/view.php?id=36974"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mantisbt",
"vendor": "mantisbt",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.28.0, \u003c 2.28.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the \"add_profile_threshold\" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T00:29:05.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8"
},
{
"name": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e"
},
{
"name": "https://mantisbt.org/bugs/view.php?id=36974",
"tags": [
"x_refsource_MISC"
],
"url": "https://mantisbt.org/bugs/view.php?id=36974"
}
],
"source": {
"advisory": "GHSA-68w5-w573-q2r8",
"discovery": "UNKNOWN"
},
"title": "MantisBT: Authorization Bypass in Global Profile Creation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33052",
"datePublished": "2026-05-19T00:29:05.220Z",
"dateReserved": "2026-03-17T18:10:50.212Z",
"dateUpdated": "2026-05-19T12:46:26.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}