PT-2026-60370 · Packagist · Mantisbt/Mantisbt
CVE-2026-52883
·
Published
2026-07-15
·
Updated
2026-07-15
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Unvalidated note type Parameter in mc issue update SOAP Endpoint Allows creation of TIME TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note type integer directly to bugnote add() without validating that the user is authorized to create that type of note. If the user's access level is higher than $g time tracking view threshold, they can also inject arbitrary hours into billing reports.
REST API also allows injection of TIME TRACKING notes (but not REMINDER) through the same mc issue update() function.
Impact
An attacker with UPDATER access could:
- Inject fake billable hours via TIME TRACKING notes (note type=2), corrupting billing data exported through MantisBT's billing reports. Organizations that bill clients based on MantisBT time tracking data would generate incorrect invoices, and corrupt time tracking reports could be used to drive project management decisions.
- Fake REMINDER notes registered (but without actual sending of notifications).
Patches
Workarounds
None
Resources
Credits
Thanks to the following security researchers for discovering and responsibly reporting the issue
- Vishal Shukla
- Psalms Christopher Matovu (@byteoverride)
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mantisbt/Mantisbt