MantisBT MantisBT Mantis Bug Tracker (MantisBT)

  1. Vendors
  2. MantisBT

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any MantisBT product.

RSS Feeds for MantisBT security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in MantisBT products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by MantisBT Sorted by Most Security Vulnerabilities since 2018

MantisBT75 vulnerabilities

MantisBT Source Integration4 vulnerabilities

MantisBT Linked Custom Fields1 vulnerability

By the Year

In 2026 there have been 20 vulnerabilities in MantisBT with an average score of 4.9 out of ten. Last year, in 2025 MantisBT had 4 security vulnerabilities published. That is, 16 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 1.10




Year Vulnerabilities Average Score
2026 20 4.85
2025 4 5.95
2024 5 6.44
2023 3 4.90
2022 4 6.35
2021 4 5.83
2020 7 5.50
2019 4 6.13
2018 7 5.75

It may take a day or so for new MantisBT vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent MantisBT Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-42071 May 28, 2026
Auth Bypass in MantisBT 2.23.0-2.28.1 via REST/Soap API File Visibility Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2.
Mantisbt
CVE-2026-42070 May 28, 2026
MantisBT 2.28.1 Privilege Escalation: UPDATER users edit others' bugnotes Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
Mantisbt
CVE-2026-44655 May 28, 2026
MantisBT XSS 1.3.0-2.28.1 via Unescaped Project Name in Move Attachments Page Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.
Mantisbt
CVE-2026-41897 May 28, 2026
MantisBT <=2.28.1: filter_target HTML injection via return_dynamic_filters.php Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2.
Mantisbt
CVE-2026-44657 May 28, 2026
MantisBT <=2.28.1 Code Exec via Inline File CSRF Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.
Mantisbt
CVE-2026-40607 May 22, 2026
MantisBT 2.11.0-2.28.1 Stored XSS via unsanitized filter owner Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).
Mantisbt
CVE-2026-40598 May 22, 2026
MantisBT 2.28.1/earlier: XSS via Referer redirect (fixed in 2.28.2) Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request's Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2.
Mantisbt
CVE-2026-40597 May 22, 2026
MantisBT 2.28.x XSS / CSP Bypass via file_download MIME Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2.
Mantisbt
CVE-2026-40596 May 22, 2026
MantisBT 2.11-2.28.1 XSS on font-family field (fixed 2.28.2) Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.
Mantisbt
CVE-2026-39960 May 20, 2026
CVE-2026-39960: MantisBT 2.28.1 & below XSS via textarea custom field Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.
Mantisbt
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.