Threat Advisory

Multiple MantisBT Vulnerabilities Enable SQL Injection Through History Order Value

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in mantisbt/mantisbt, including SQL injection and remote code execution. The overall risk is high due to the potential for privilege escalation and unauthorized access. Affected version range: 2.28.4.

CVE-2026-47142 (CVSS 8.5 — High): An attacker can exploit a SQL injection vulnerability via the history_order configuration value, allowing them to inject malicious SQL code. The affected component is the MantisBT application.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in mantisbt/mantisbt, including SQL injection and remote code execution. The overall risk is high due to the potential for privilege escalation and unauthorized access. Affected version range: 2.28.4.

CVE-2026-47142 (CVSS 8.5 — High): An attacker can exploit a SQL injection vulnerability via the history_order configuration value, allowing them to inject malicious SQL code. The affected component is the MantisBT application.[emaillocker id="1283"]

CVE-2026-47156 (CVSS 9.3 — Critical): An attacker can bypass SOAP API authentication and escalate privileges to administrator using a specific configuration value. The affected component is the MantisBT application.

CVE-2026-49273 (CVSS 8.6 — High): A remote code execution vulnerability exists due to eval class hoisting in adm_config_set.php, allowing an attacker to execute arbitrary code on the system. The affected component is the MantisBT application.

CVE-2026-49280 (CVSS 5.3 — Medium): An unauthorized issue status change can be made via the REST API, potentially leading to data tampering or other malicious activities. The affected component is the MantisBT application.

CVE-2026-52847 (CVSS 9.2 — Critical): A reflected XSS vulnerability in MantisBT allows unauthenticated attackers to inject malicious content into the installation page, enabling credential phishing, open redirects, and UI manipulation attacks.

CVE-2026-52881 (CVSS 9.2 — Critical): A reflected XSS vulnerability in MantisBT allows unauthenticated attackers to inject malicious content through unescaped input on the installation page, enabling credential phishing, open redirects, and UI manipulation attacks.

CVE-2026-52882 (CVSS 5.3 — Medium): An authorization bypass vulnerability in MantisBT allows users with limited permissions to assign unreleased product versions, enabling unauthorized modification of issue metadata and workflow information.

CVE-2026-52883 (CVSS 5.3 — Medium): An improper authorization vulnerability in MantisBT SOAP and REST APIs allows users with updater privileges to create unauthorized TIME_TRACKING and REMINDER Notes, enabling manipulation of billing data, time reports, and project records.

CVE-2026-62944 (CVSS 8.6 — High): A stored XSS vulnerability in MantisBT allows authenticated users to inject malicious HTML through crafted image attachment filenames, enabling JavaScript execution when exported issue pages are viewed.

RECOMMENDATION:

We recommend you to update mantisbt/mantisbt version 2.28.4 or later.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu