PT-2026-39890 · Git+2 · Mantisbt+1

Published

2026-05-11

·

Updated

2026-05-28

·

CVE-2026-42070

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker (MantisBT) versions prior to 2.28.2
Description The mc issue update() function allows users with update bug threshold access (UPDATER) to edit, change the view state, and modify time tracking on bugnotes belonging to other users. This bypasses the default DEVELOPER (level 55) threshold required by the mc issue note update() function. Consequently, an UPDATER can edit notes created by a DEVELOPER, MANAGER, or ADMIN, and can change private notes to public, exposing confidential internal discussions, or change public notes to private, hiding information from reporters and viewers.
Recommendations Update to version 2.28.2.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42070
GHSA-PQ86-J2C2-47F6

Affected Products

Mantisbt
Mantisbt/Mantisbt