Multiple security vulnerabilities have been identified in mantisbt/mantisbt, including SQL injection and remote code execution. The overall risk is high due to the potential for privilege escalation and unauthorized access. Affected version range: 2.28.4.
CVE-2026-47142 (CVSS 8.5 — High): An attacker can exploit a SQL injection vulnerability via the history_order configuration value, allowing them to inject malicious SQL code. The affected component is the MantisBT application.[/subscribe_to_unlock_form]
Multiple security vulnerabilities have been identified in mantisbt/mantisbt, including SQL injection and remote code execution. The overall risk is high due to the potential for privilege escalation and unauthorized access. Affected version range: 2.28.4.
CVE-2026-47142 (CVSS 8.5 — High): An attacker can exploit a SQL injection vulnerability via the history_order configuration value, allowing them to inject malicious SQL code. The affected component is the MantisBT application.[emaillocker id="1283"]
CVE-2026-47156 (CVSS 9.3 — Critical): An attacker can bypass SOAP API authentication and escalate privileges to administrator using a specific configuration value. The affected component is the MantisBT application.
CVE-2026-49273 (CVSS 8.6 — High): A remote code execution vulnerability exists due to eval class hoisting in adm_config_set.php, allowing an attacker to execute arbitrary code on the system. The affected component is the MantisBT application.
CVE-2026-49280 (CVSS 5.3 — Medium): An unauthorized issue status change can be made via the REST API, potentially leading to data tampering or other malicious activities. The affected component is the MantisBT application.
CVE-2026-52847 (CVSS 9.2 — Critical): A reflected XSS vulnerability in MantisBT allows unauthenticated attackers to inject malicious content into the installation page, enabling credential phishing, open redirects, and UI manipulation attacks.
CVE-2026-52881 (CVSS 9.2 — Critical): A reflected XSS vulnerability in MantisBT allows unauthenticated attackers to inject malicious content through unescaped input on the installation page, enabling credential phishing, open redirects, and UI manipulation attacks.
CVE-2026-52882 (CVSS 5.3 — Medium): An authorization bypass vulnerability in MantisBT allows users with limited permissions to assign unreleased product versions, enabling unauthorized modification of issue metadata and workflow information.
CVE-2026-52883 (CVSS 5.3 — Medium): An improper authorization vulnerability in MantisBT SOAP and REST APIs allows users with updater privileges to create unauthorized TIME_TRACKING and REMINDER Notes, enabling manipulation of billing data, time reports, and project records.
CVE-2026-62944 (CVSS 8.6 — High): A stored XSS vulnerability in MantisBT allows authenticated users to inject malicious HTML through crafted image attachment filenames, enabling JavaScript execution when exported issue pages are viewed.
We recommend you to update mantisbt/mantisbt version 2.28.4 or later.
The following reports contain further technical details:
[/emaillocker]