PT-2026-39890 · Git+2 · Mantisbt+1
Published
2026-05-11
·
Updated
2026-05-28
·
CVE-2026-42070
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Mantis Bug Tracker (MantisBT) versions prior to 2.28.2
Description
The
mc issue update() function allows users with update bug threshold access (UPDATER) to edit, change the view state, and modify time tracking on bugnotes belonging to other users. This bypasses the default DEVELOPER (level 55) threshold required by the mc issue note update() function. Consequently, an UPDATER can edit notes created by a DEVELOPER, MANAGER, or ADMIN, and can change private notes to public, exposing confidential internal discussions, or change public notes to private, hiding information from reporters and viewers.Recommendations
Update to version 2.28.2.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mantisbt
Mantisbt/Mantisbt