PT-2026-60355 · Packagist · Mantisbt/Mantisbt

CVE-2026-47142

·

Published

2026-07-15

·

Updated

2026-07-15

CVSS v4.0

8.5

High

VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
MantisBT 2.28.3 and earlier versions contains a SQL injection vulnerability in core/history api.php. The history order configuration value is concatenated directly into a SQL ORDER BY clause without any sanitisation, parameterization, or validation against a whitelist.
An administrator can set this configuration value via the web UI (adm config set.php) or the REST API (PATCH /api/rest/config). The injected SQL then executes whenever any user views a bug with history entries.

Impact

  • Sensitive data extraction from the entire bugtracker database including user credentials (cookie string, password hashes), API tokens, and private issue data
  • With MySQL FILE privilege: full RCE via INTO OUTFILE writing a PHP webshell to the web root
  • The admin plants the payload once; any authenticated user viewing a bug with history triggers the injection

Patches

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Resources

Credits

McCaulay Hudson (@McCaulay) of watchTowr

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47142
GHSA-MW6P-33VW-46CC

Affected Products

Mantisbt/Mantisbt