Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/mantisbt/mantisbt@2.28.1
Typecomposer
Namespacemantisbt
Namemantisbt
Version2.28.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.28.2
Latest_non_vulnerable_version2.28.2
Affected_by_vulnerabilities
0
url VCID-3nh1-gqxv-jyce
vulnerability_id VCID-3nh1-gqxv-jyce
summary 
MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API
### Impact
MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access.

### Patches
- b262b4d2835b81394d75356dead66e52a6275206

### Workarounds
None.

### Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34754
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08403
published_at 2026-06-07T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08378
published_at 2026-06-09T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08347
published_at 2026-06-08T12:55:00Z
3
value 0.00028
scoring_system epss
scoring_elements 0.08411
published_at 2026-06-05T12:55:00Z
4
value 0.00028
scoring_system epss
scoring_elements 0.08423
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34754
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T15:07:20Z/
url https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T15:07:20Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc
4
reference_url https://mantisbt.org/bugs/view.php?id=36976
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T15:07:20Z/
url https://mantisbt.org/bugs/view.php?id=36976
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34754
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34754
6
reference_url https://github.com/advisories/GHSA-h4x5-gvx6-3rwc
reference_id GHSA-h4x5-gvx6-3rwc
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-h4x5-gvx6-3rwc
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-34754, GHSA-h4x5-gvx6-3rwc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3nh1-gqxv-jyce
1
url VCID-3p27-9b1r-nqbh
vulnerability_id VCID-3p27-9b1r-nqbh
summary 
MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values
Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded.

### Impact
Session theft leading to admin account takeover, full project data access.

- Precondition: A textarea-type custom field must be configured for the project
- Attacker: Authenticated user with bug report permission (low privilege)
- Victim: Any user viewing the bug edit form, including administrators

### Patches
- 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7

### Workarounds
The default Content-Security Policy will block script execution.

### References
- https://mantisbt.org/bugs/view.php?id=37003
- This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq).

### Credits
Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it.
- Thanks to Nozomu Sasaki (Paul) (@morimori-dev)
- Tristan Madani (@TristanInSec) from Talence Security
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39960
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.10236
published_at 2026-06-07T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.10189
published_at 2026-06-09T12:55:00Z
2
value 0.00033
scoring_system epss
scoring_elements 0.10153
published_at 2026-06-08T12:55:00Z
3
value 0.00033
scoring_system epss
scoring_elements 0.10257
published_at 2026-06-05T12:55:00Z
4
value 0.00033
scoring_system epss
scoring_elements 0.10277
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39960
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-21T13:29:35Z/
url https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-21T13:29:35Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
4
reference_url https://mantisbt.org/bugs/view.php?id=37003
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://mantisbt.org/bugs/view.php?id=37003
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39960
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39960
6
reference_url https://github.com/advisories/GHSA-qj6w-v29q-4rgx
reference_id GHSA-qj6w-v29q-4rgx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qj6w-v29q-4rgx
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-39960, GHSA-qj6w-v29q-4rgx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3p27-9b1r-nqbh
2
url VCID-41x9-p7gv-8fc2
vulnerability_id VCID-41x9-p7gv-8fc2
summary 
MantisBT Vulnerable to Privilege Escalation from Manager to Administrator
Insufficient access control checks in _ProjectUsersAddCommand_ (used in *manage_proj_user_add.php* and REST API endpoint `PUT /project/{id}/users`) allows users having *manage_project_threshold* access level (*manager* by default) to grant project-level *administrator* access to any user (including themselves) in any Project they have *manager* rights in.

The normal project-user add form does restrict the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it.

### Impact
Privilege escalation.

The consequences of the privilege escalation are not as bad as it may sound, because having *administrator* access at Project level is effectively not very different from being *manager*, it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. 

### Patches
- 69e0180f180ed5acf48a8d281a73683a7bf32461

### Workarounds
None

### Credits
Thanks to the following security researchers for independently discovering and responsibly reporting the issue:
- [Dracosec Research Limited](https://dracosec.tech/) (Siu Nam Tang, Chris Chan, Krecendo Hui, William Lam)
- Vishal Shukla
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34390
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.03328
published_at 2026-06-07T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.03298
published_at 2026-06-09T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03308
published_at 2026-06-08T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03348
published_at 2026-06-05T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.03358
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34390
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/
url https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6
4
reference_url https://mantisbt.org/bugs/view.php?id=36995
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/
url https://mantisbt.org/bugs/view.php?id=36995
5
reference_url https://mantisbt.org/bugs/view.php?id=37002
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:05:44Z/
url https://mantisbt.org/bugs/view.php?id=37002
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34390
reference_id
reference_type
scores
0
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34390
7
reference_url https://github.com/advisories/GHSA-frf7-jhp9-jxm6
reference_id GHSA-frf7-jhp9-jxm6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-frf7-jhp9-jxm6
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-34390, GHSA-frf7-jhp9-jxm6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-41x9-p7gv-8fc2
3
url VCID-9y6t-pvae-vuar
vulnerability_id VCID-9y6t-pvae-vuar
summary 
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
Improper escaping of the redirection page (retrieved from the request's *Referer* header) allows an attacker to inject HTML.

While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting.

### Impact
Cross-site scripting (XSS).

### Patches
- b1ebc57763f104eb5f541b7b4d1ce6948168abd9

### Workarounds
None

### Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40598
reference_id
reference_type
scores
0
value 0.00059
scoring_system epss
scoring_elements 0.18594
published_at 2026-06-07T12:55:00Z
1
value 0.00059
scoring_system epss
scoring_elements 0.1853
published_at 2026-06-09T12:55:00Z
2
value 0.00059
scoring_system epss
scoring_elements 0.18512
published_at 2026-06-08T12:55:00Z
3
value 0.00059
scoring_system epss
scoring_elements 0.1863
published_at 2026-06-05T12:55:00Z
4
value 0.00059
scoring_system epss
scoring_elements 0.18633
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40598
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T02:39:01Z/
url https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T02:39:01Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37
4
reference_url https://mantisbt.org/bugs/view.php?id=37017
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T02:39:01Z/
url https://mantisbt.org/bugs/view.php?id=37017
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40598
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40598
6
reference_url https://github.com/advisories/GHSA-6jh4-47v2-4g37
reference_id GHSA-6jh4-47v2-4g37
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6jh4-47v2-4g37
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-40598, GHSA-6jh4-47v2-4g37
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9y6t-pvae-vuar
4
url VCID-bx5c-hd4c-r3hn
vulnerability_id VCID-bx5c-hd4c-r3hn
summary 
MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue
MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied.

### Impact
The loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that were previously uploaded by the user themselves remains accessible.

### Patches
- de7bdeec36de066235e38a77bf056917d951c84d

### Workarounds
None.

### Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34744
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02532
published_at 2026-06-05T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.0242
published_at 2026-06-09T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02459
published_at 2026-06-08T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02475
published_at 2026-06-07T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02533
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34744
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T17:19:00Z/
url https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T17:19:00Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
4
reference_url https://mantisbt.org/bugs/view.php?id=36977
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T17:19:00Z/
url https://mantisbt.org/bugs/view.php?id=36977
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34744
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34744
6
reference_url https://github.com/advisories/GHSA-rmp5-5jj7-gmvf
reference_id GHSA-rmp5-5jj7-gmvf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rmp5-5jj7-gmvf
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-34744, GHSA-rmp5-5jj7-gmvf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bx5c-hd4c-r3hn
5
url VCID-cx6p-ncwb-k3bg
vulnerability_id VCID-cx6p-ncwb-k3bg
summary 
MantisBT: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked
MantisBT allows a bugnote author to access the note's Revisions page after losing access to the parent private issue.

### Impact
Disclosure of the private Issue's Id and Summary. The bugnote full revision body remains secure.

### Patches
- 71df1f67e05b2050cd4bd87839e6cc13747cf03f

### Workarounds
None

### Credits 
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34970
reference_id
reference_type
scores
0
value 0.00015
scoring_system epss
scoring_elements 0.0309
published_at 2026-06-05T12:55:00Z
1
value 0.00015
scoring_system epss
scoring_elements 0.02996
published_at 2026-06-09T12:55:00Z
2
value 0.00015
scoring_system epss
scoring_elements 0.03031
published_at 2026-06-08T12:55:00Z
3
value 0.00015
scoring_system epss
scoring_elements 0.03048
published_at 2026-06-07T12:55:00Z
4
value 0.00015
scoring_system epss
scoring_elements 0.03099
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34970
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:04:45Z/
url https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:04:45Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
4
reference_url https://mantisbt.org/bugs/view.php?id=36978
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:04:45Z/
url https://mantisbt.org/bugs/view.php?id=36978
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34970
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34970
6
reference_url https://github.com/advisories/GHSA-crmx-4p49-46m2
reference_id GHSA-crmx-4p49-46m2
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-crmx-4p49-46m2
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-34970, GHSA-crmx-4p49-46m2
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cx6p-ncwb-k3bg
6
url VCID-es4b-p6jh-7fgf
vulnerability_id VCID-es4b-p6jh-7fgf
summary 
MantisBT has a Private Bugnote Attachment Content Leak via REST API
A missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint.

### Impact
- REPORTER (access level 25) can view file attachments that were uploaded to private bugnotes by DEVELOPER/MANAGER/ADMIN users
- Private bugnotes are intended for internal developer discussion; their attachments (logs, screenshots, patches) should be equally protected
- The web UI is NOT affected — it filters through bugnote_get_all_visible_bugnotes() first

### Patches
- 029d9d203d9e4ae96b3e59d552fa7395cc1e5071

### Workarounds
None

### Credits
Thanks to the following security researchers for independently discovering and responsibly reporting the issue.
- Vishal Shukla 
- Tristan Madani (@TristanInSec) from Talence Security 
- Tang Cheuk Hei (@siunam321) 

This advisory's contents was largely copied from Tristan's well-written report.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42071
reference_id
reference_type
scores
0
value 0.00046
scoring_system epss
scoring_elements 0.14742
published_at 2026-06-05T12:55:00Z
1
value 0.00046
scoring_system epss
scoring_elements 0.14649
published_at 2026-06-09T12:55:00Z
2
value 0.00046
scoring_system epss
scoring_elements 0.14625
published_at 2026-06-08T12:55:00Z
3
value 0.00046
scoring_system epss
scoring_elements 0.14707
published_at 2026-06-07T12:55:00Z
4
value 0.00046
scoring_system epss
scoring_elements 0.14749
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42071
1
reference_url https://github.com/advisories/GHSA-xjmx-cprh-646r
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-xjmx-cprh-646r
2
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
3
reference_url https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/
url https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071
4
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8
5
reference_url https://mantisbt.org/bugs/view.php?id=27039
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/
url https://mantisbt.org/bugs/view.php?id=27039
6
reference_url https://mantisbt.org/bugs/view.php?id=36985
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/
url https://mantisbt.org/bugs/view.php?id=36985
7
reference_url https://mantisbt.org/bugs/view.php?id=37092
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T13:56:42Z/
url https://mantisbt.org/bugs/view.php?id=37092
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42071
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42071
9
reference_url https://github.com/advisories/GHSA-pw5x-2mf9-3xc8
reference_id GHSA-pw5x-2mf9-3xc8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pw5x-2mf9-3xc8
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-42071, GHSA-pw5x-2mf9-3xc8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-es4b-p6jh-7fgf
7
url VCID-hcet-rrn3-j7gj
vulnerability_id VCID-hcet-rrn3-j7gj
summary 
MantisBT has Stored XSS on Move Attachments Admin Page
Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page.

### Impact
Cross-site scripting (XSS).
This is mitigated by Content Security Policy which restricts scripts execution.

### Patches
- 5cb4b469295889f5d2b01677c9bf82c143e0fdaa

### Workarounds
None
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44655
reference_id
reference_type
scores
0
value 0.00057
scoring_system epss
scoring_elements 0.17941
published_at 2026-06-08T12:55:00Z
1
value 0.00057
scoring_system epss
scoring_elements 0.18017
published_at 2026-06-07T12:55:00Z
2
value 0.00057
scoring_system epss
scoring_elements 0.18055
published_at 2026-06-06T12:55:00Z
3
value 0.00057
scoring_system epss
scoring_elements 0.1796
published_at 2026-06-09T12:55:00Z
4
value 0.00057
scoring_system epss
scoring_elements 0.18054
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44655
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-29T19:11:59Z/
url https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-29T19:11:59Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59
4
reference_url https://mantisbt.org/bugs/view.php?id=37099
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://mantisbt.org/bugs/view.php?id=37099
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44655
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44655
6
reference_url https://github.com/advisories/GHSA-7mqj-8gj2-cg59
reference_id GHSA-7mqj-8gj2-cg59
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7mqj-8gj2-cg59
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-44655, GHSA-7mqj-8gj2-cg59
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hcet-rrn3-j7gj
8
url VCID-hjug-mc57-nyaf
vulnerability_id VCID-hjug-mc57-nyaf
summary 
MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form
When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires *manager* or *administrator* access level).


### Impact
Cross-site scripting (XSS).
This is mitigated by Content Security Policy which restricts scripts execution.

### Patches
- df22697ae497ddd93f3d9132fdf4979db8d081cd

### Workarounds
Make sure Project names do not contain any HTML tags.

### Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

The vulnerability was also identified and independently reported by @siunam321 (Tang Cheuk Hei), prior to this Advisory's publication.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34463
reference_id
reference_type
scores
0
value 0.00017
scoring_system epss
scoring_elements 0.04504
published_at 2026-06-07T12:55:00Z
1
value 0.00017
scoring_system epss
scoring_elements 0.04493
published_at 2026-06-09T12:55:00Z
2
value 0.00017
scoring_system epss
scoring_elements 0.04469
published_at 2026-06-08T12:55:00Z
3
value 0.00017
scoring_system epss
scoring_elements 0.04523
published_at 2026-06-05T12:55:00Z
4
value 0.00017
scoring_system epss
scoring_elements 0.04516
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34463
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-20T13:36:36Z/
url https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-20T13:36:36Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2
4
reference_url https://mantisbt.org/bugs/view.php?id=36986
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-20T13:36:36Z/
url https://mantisbt.org/bugs/view.php?id=36986
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34463
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34463
6
reference_url https://github.com/advisories/GHSA-fvjf-68wh-rwp2
reference_id GHSA-fvjf-68wh-rwp2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fvjf-68wh-rwp2
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-34463, GHSA-fvjf-68wh-rwp2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hjug-mc57-nyaf
9
url VCID-kd7p-6ypr-hucb
vulnerability_id VCID-kd7p-6ypr-hucb
summary 
MantisBT has an authorization bypass in private issue monitoring
Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue.


### Impact
Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content.

### Patches
- 0a93267deba445fb9d15250c16e6fdb1246ffa65

### Workarounds
None

### Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34579
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02532
published_at 2026-06-05T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.0242
published_at 2026-06-09T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02459
published_at 2026-06-08T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02475
published_at 2026-06-07T12:55:00Z
4
value 0.00014
scoring_system epss
scoring_elements 0.02533
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34579
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T14:25:53Z/
url https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T14:25:53Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v
4
reference_url https://mantisbt.org/bugs/view.php?id=36975
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T14:25:53Z/
url https://mantisbt.org/bugs/view.php?id=36975
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34579
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34579
6
reference_url https://github.com/advisories/GHSA-ggw7-9675-6v4v
reference_id GHSA-ggw7-9675-6v4v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ggw7-9675-6v4v
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-34579, GHSA-ggw7-9675-6v4v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kd7p-6ypr-hucb
10
url VCID-tmey-9ntn-xkf9
vulnerability_id VCID-tmey-9ntn-xkf9
summary 
MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference
Any authenticated user can inject arbitrary HTML via updating their account's font family.

### Impact
Cross-site scripting.
The injected payload will be reflected in every MantisBT page.

Leveraging another vulnerability (CSP bypass, see [GHSA-9c3j-xm6v-j7j3](https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3)), the attacker could achieve account takeover.

### Patches
- 9e8409cdd979eba86ef532756fc47c1d8112d22d

### Workarounds
None

### Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40596
reference_id
reference_type
scores
0
value 0.00056
scoring_system epss
scoring_elements 0.17862
published_at 2026-06-07T12:55:00Z
1
value 0.00056
scoring_system epss
scoring_elements 0.17804
published_at 2026-06-09T12:55:00Z
2
value 0.00056
scoring_system epss
scoring_elements 0.17786
published_at 2026-06-08T12:55:00Z
3
value 0.00056
scoring_system epss
scoring_elements 0.17897
published_at 2026-06-06T12:55:00Z
4
value 0.00056
scoring_system epss
scoring_elements 0.179
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40596
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-22T20:10:08Z/
url https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-22T20:10:08Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
4
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-22T20:10:08Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j
5
reference_url https://mantisbt.org/bugs/view.php?id=37011
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-22T20:10:08Z/
url https://mantisbt.org/bugs/view.php?id=37011
6
reference_url https://mantisbt.org/bugs/view.php?id=37016
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-22T20:10:08Z/
url https://mantisbt.org/bugs/view.php?id=37016
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40596
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40596
8
reference_url https://github.com/advisories/GHSA-j3v9-553h-x28j
reference_id GHSA-j3v9-553h-x28j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j3v9-553h-x28j
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-40596, GHSA-j3v9-553h-x28j
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tmey-9ntn-xkf9
11
url VCID-tndh-byw2-xbh6
vulnerability_id VCID-tndh-byw2-xbh6
summary 
MantisBT has Stored HTML Injection/XSS when displaying Tags in Timeline
Improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted.

### Impact
Cross-site scripting (XSS).

### Patches
f32787c14d4518476fe7f05f992dbfe6eaccd815

### Workarounds
* Edit offending History entries (using SQL)
* Wrap `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html()

### Credits
MantisBT thanks Vishal Shukla for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33548
reference_id
reference_type
scores
0
value 0.00046
scoring_system epss
scoring_elements 0.14711
published_at 2026-06-05T12:55:00Z
1
value 0.00046
scoring_system epss
scoring_elements 0.14616
published_at 2026-06-09T12:55:00Z
2
value 0.00046
scoring_system epss
scoring_elements 0.14592
published_at 2026-06-08T12:55:00Z
3
value 0.00046
scoring_system epss
scoring_elements 0.14675
published_at 2026-06-07T12:55:00Z
4
value 0.00046
scoring_system epss
scoring_elements 0.14717
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33548
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T16:05:45Z/
url https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T16:05:45Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5
4
reference_url https://mantisbt.org/bugs/view.php?id=36973
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://mantisbt.org/bugs/view.php?id=36973
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33548
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33548
6
reference_url https://github.com/advisories/GHSA-73vx-49mv-v8w5
reference_id GHSA-73vx-49mv-v8w5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-73vx-49mv-v8w5
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-33548, GHSA-73vx-49mv-v8w5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tndh-byw2-xbh6
12
url VCID-vgup-xrgt-57bd
vulnerability_id VCID-vgup-xrgt-57bd
summary 
MantisBT Vulnerable to Stored XSS in File Download
Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment.

### Impact
Cross-site scripting

### Patches
- 26647b2e68ba30b9d7987d4e03d7a16416684bc2

### Workarounds
None

### Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44657
reference_id
reference_type
scores
0
value 0.00072
scoring_system epss
scoring_elements 0.22094
published_at 2026-06-07T12:55:00Z
1
value 0.00072
scoring_system epss
scoring_elements 0.22048
published_at 2026-06-09T12:55:00Z
2
value 0.00072
scoring_system epss
scoring_elements 0.22037
published_at 2026-06-08T12:55:00Z
3
value 0.00072
scoring_system epss
scoring_elements 0.22142
published_at 2026-06-06T12:55:00Z
4
value 0.00072
scoring_system epss
scoring_elements 0.22155
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44657
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-29T14:49:46Z/
url https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-29T14:49:46Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
4
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-29T14:49:46Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8
5
reference_url https://mantisbt.org/bugs/view.php?id=37020
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-29T14:49:46Z/
url https://mantisbt.org/bugs/view.php?id=37020
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44657
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44657
7
reference_url https://github.com/advisories/GHSA-p6fr-rxq7-xcg8
reference_id GHSA-p6fr-rxq7-xcg8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p6fr-rxq7-xcg8
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-44657, GHSA-p6fr-rxq7-xcg8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vgup-xrgt-57bd
13
url VCID-vgyy-dkby-w3ak
vulnerability_id VCID-vgyy-dkby-w3ak
summary 
MantisBT has a Content Security Policy bypass via attachments
Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's _script-src_ directive by uploading a crafted attachment to any issue that, when accessed via the _file_download.php_ link, will be downloaded with a valid JavaScript MIME type resulting in script execution.

The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a `<script>` tag by the browser, due to response header X-Content-Type-Options being set to _nosniff_, which requires all imported JavaScript files to be a valid JavaScript MIME type.

### Impact
Cross-site scripting

### Patches
- 9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe

### Workarounds
None

### Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40597
reference_id
reference_type
scores
0
value 0.00071
scoring_system epss
scoring_elements 0.21764
published_at 2026-06-07T12:55:00Z
1
value 0.00071
scoring_system epss
scoring_elements 0.21713
published_at 2026-06-09T12:55:00Z
2
value 0.00071
scoring_system epss
scoring_elements 0.21705
published_at 2026-06-08T12:55:00Z
3
value 0.00071
scoring_system epss
scoring_elements 0.21822
published_at 2026-06-05T12:55:00Z
4
value 0.00071
scoring_system epss
scoring_elements 0.2181
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40597
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-26T19:05:54Z/
url https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-26T19:05:54Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
4
reference_url https://mantisbt.org/bugs/view.php?id=37016
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-26T19:05:54Z/
url https://mantisbt.org/bugs/view.php?id=37016
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40597
reference_id
reference_type
scores
0
value 7.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40597
6
reference_url https://github.com/advisories/GHSA-9c3j-xm6v-j7j3
reference_id GHSA-9c3j-xm6v-j7j3
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9c3j-xm6v-j7j3
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-40597, GHSA-9c3j-xm6v-j7j3
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vgyy-dkby-w3ak
14
url VCID-xq7x-rtzx-wkef
vulnerability_id VCID-xq7x-rtzx-wkef
summary 
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API
The mc_issue_update() function in MantisBT allows users having *update_bug_threshold* access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function.

### Impact
1. UPDATER can edit notes by DEVELOPER/MANAGER/ADMIN — bypassing the DEVELOPER threshold
2. UPDATER can change private notes to public — exposing confidential internal discussion
3. UPDATER can change public notes to private — hiding information from reporters/viewers

### Patches
- 6e58fae4f22efdc3987f903c8ba2611de17a9435

### Workarounds
None

### Credits
Thanks to the following security researchers for independently discovering and responsibly reporting the issue.
- Vishal Shukla 
- Tristan Madani (@TristanInSec) from Talence Security 

This advisory's contents was largely copied from Tristan's well-written report.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42070
reference_id
reference_type
scores
0
value 0.00043
scoring_system epss
scoring_elements 0.13657
published_at 2026-06-07T12:55:00Z
1
value 0.00043
scoring_system epss
scoring_elements 0.13604
published_at 2026-06-09T12:55:00Z
2
value 0.00043
scoring_system epss
scoring_elements 0.13572
published_at 2026-06-08T12:55:00Z
3
value 0.00043
scoring_system epss
scoring_elements 0.13693
published_at 2026-06-05T12:55:00Z
4
value 0.00043
scoring_system epss
scoring_elements 0.13697
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42070
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/
url https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
4
reference_url https://mantisbt.org/bugs/view.php?id=37089
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/
url https://mantisbt.org/bugs/view.php?id=37089
5
reference_url https://mantisbt.org/bugs/view.php?id=37093
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T13:49:49Z/
url https://mantisbt.org/bugs/view.php?id=37093
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42070
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42070
7
reference_url https://github.com/advisories/GHSA-pq86-j2c2-47f6
reference_id GHSA-pq86-j2c2-47f6
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pq86-j2c2-47f6
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-42070, GHSA-pq86-j2c2-47f6
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xq7x-rtzx-wkef
15
url VCID-xymn-y9me-kbh9
vulnerability_id VCID-xymn-y9me-kbh9
summary 
MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column
Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON.

### Impact
Cross-site scripting (XSS).

Note that By default, only users with *Manager* access level or above can save their filters publicly

### Patches
- 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010

### Workarounds
- Prevent display of users' real name (set `$g_ show_user_realname = OFF;` in configuration)
- Restrict ability to store filters (set $`g_stored_query_create_threshold` / $`g_stored_query_create_shared_threshold` to `NOBODY` 

### Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40607
reference_id
reference_type
scores
0
value 0.00054
scoring_system epss
scoring_elements 0.17099
published_at 2026-06-07T12:55:00Z
1
value 0.00054
scoring_system epss
scoring_elements 0.17039
published_at 2026-06-09T12:55:00Z
2
value 0.00054
scoring_system epss
scoring_elements 0.1702
published_at 2026-06-08T12:55:00Z
3
value 0.00054
scoring_system epss
scoring_elements 0.17138
published_at 2026-06-05T12:55:00Z
4
value 0.00054
scoring_system epss
scoring_elements 0.17133
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40607
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-26T18:51:03Z/
url https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-26T18:51:03Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh
4
reference_url https://mantisbt.org/bugs/view.php?id=37015
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-26T18:51:03Z/
url https://mantisbt.org/bugs/view.php?id=37015
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40607
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40607
6
reference_url https://github.com/advisories/GHSA-f633-865q-2mhh
reference_id GHSA-f633-865q-2mhh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f633-865q-2mhh
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.2
purl pkg:composer/mantisbt/mantisbt@2.28.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.2
aliases CVE-2026-40607, GHSA-f633-865q-2mhh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xymn-y9me-kbh9
Fixing_vulnerabilities
0
url VCID-843s-1vx7-nueb
vulnerability_id VCID-843s-1vx7-nueb
summary 
MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL
Mantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter.

Other database backends are not affected, as they do not perform implicit type conversion from string to integer.

### Impact
Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to.

### Patches
* b349e5c890eeda9bd82e7c7e14479853f8a30d9f

### Workarounds
- [Disabling the SOAP API](https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable) significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.

### Resources
- https://mantisbt.org/bugs/view.php?id=36902

### Credits
MantisBT thanks Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-30849
reference_id
reference_type
scores
0
value 0.0014
scoring_system epss
scoring_elements 0.33827
published_at 2026-06-09T12:55:00Z
1
value 0.0014
scoring_system epss
scoring_elements 0.33801
published_at 2026-06-08T12:55:00Z
2
value 0.0014
scoring_system epss
scoring_elements 0.33835
published_at 2026-06-07T12:55:00Z
3
value 0.0014
scoring_system epss
scoring_elements 0.3387
published_at 2026-06-06T12:55:00Z
4
value 0.0014
scoring_system epss
scoring_elements 0.33855
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-30849
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:29:55Z/
url https://github.com/mantisbt/mantisbt/commit/b349e5c890eeda9bd82e7c7e14479853f8a30d9f
3
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh
reference_id
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:29:55Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-phrq-pc6r-f6gh
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30849
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30849
5
reference_url https://github.com/advisories/GHSA-phrq-pc6r-f6gh
reference_id GHSA-phrq-pc6r-f6gh
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-phrq-pc6r-f6gh
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.1
purl pkg:composer/mantisbt/mantisbt@2.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3nh1-gqxv-jyce
1
vulnerability VCID-3p27-9b1r-nqbh
2
vulnerability VCID-41x9-p7gv-8fc2
3
vulnerability VCID-9y6t-pvae-vuar
4
vulnerability VCID-bx5c-hd4c-r3hn
5
vulnerability VCID-cx6p-ncwb-k3bg
6
vulnerability VCID-es4b-p6jh-7fgf
7
vulnerability VCID-hcet-rrn3-j7gj
8
vulnerability VCID-hjug-mc57-nyaf
9
vulnerability VCID-kd7p-6ypr-hucb
10
vulnerability VCID-tmey-9ntn-xkf9
11
vulnerability VCID-tndh-byw2-xbh6
12
vulnerability VCID-vgup-xrgt-57bd
13
vulnerability VCID-vgyy-dkby-w3ak
14
vulnerability VCID-xq7x-rtzx-wkef
15
vulnerability VCID-xymn-y9me-kbh9
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.1
aliases CVE-2026-30849, GHSA-phrq-pc6r-f6gh
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-843s-1vx7-nueb
1
url VCID-pz1z-bah5-8fc9
vulnerability_id VCID-pz1z-bah5-8fc9
summary 
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Improper escaping of Tag name when deleting it in tag_delete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript.

### Impact
Cross-site scripting (XSS).

### Patches
80990f43153167c73f11eb4b2bc7108d0c3d6b46

### Workarounds
* Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9
* Manually edit language files to remove the sprintf placeholder `%1$s` from *$s_tag_delete_message*  string, for example with `sed -r -i '/tag_delete_message/s/.%1\$s.//' -- lang/`

### Credits
MantisBT hanks Vishal Shukla for discovering and responsibly reporting the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33517
reference_id
reference_type
scores
0
value 0.00049
scoring_system epss
scoring_elements 0.15691
published_at 2026-06-08T12:55:00Z
1
value 0.00049
scoring_system epss
scoring_elements 0.15777
published_at 2026-06-07T12:55:00Z
2
value 0.00049
scoring_system epss
scoring_elements 0.15817
published_at 2026-06-06T12:55:00Z
3
value 0.00049
scoring_system epss
scoring_elements 0.1571
published_at 2026-06-09T12:55:00Z
4
value 0.00049
scoring_system epss
scoring_elements 0.15827
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33517
1
reference_url https://github.com/mantisbt/mantisbt
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mantisbt/mantisbt
2
reference_url https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:12:05Z/
url https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46
3
reference_url https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:12:05Z/
url https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9
4
reference_url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T14:12:05Z/
url https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp
5
reference_url https://mantisbt.org/bugs/view.php?id=36971
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://mantisbt.org/bugs/view.php?id=36971
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33517
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33517
7
reference_url https://github.com/advisories/GHSA-fh48-f69w-7vmp
reference_id GHSA-fh48-f69w-7vmp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fh48-f69w-7vmp
fixed_packages
0
url pkg:composer/mantisbt/mantisbt@2.28.1
purl pkg:composer/mantisbt/mantisbt@2.28.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3nh1-gqxv-jyce
1
vulnerability VCID-3p27-9b1r-nqbh
2
vulnerability VCID-41x9-p7gv-8fc2
3
vulnerability VCID-9y6t-pvae-vuar
4
vulnerability VCID-bx5c-hd4c-r3hn
5
vulnerability VCID-cx6p-ncwb-k3bg
6
vulnerability VCID-es4b-p6jh-7fgf
7
vulnerability VCID-hcet-rrn3-j7gj
8
vulnerability VCID-hjug-mc57-nyaf
9
vulnerability VCID-kd7p-6ypr-hucb
10
vulnerability VCID-tmey-9ntn-xkf9
11
vulnerability VCID-tndh-byw2-xbh6
12
vulnerability VCID-vgup-xrgt-57bd
13
vulnerability VCID-vgyy-dkby-w3ak
14
vulnerability VCID-xq7x-rtzx-wkef
15
vulnerability VCID-xymn-y9me-kbh9
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.1
aliases CVE-2026-33517, GHSA-fh48-f69w-7vmp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pz1z-bah5-8fc9
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.28.1