PT-2026-60370 · Packagist · Mantisbt/Mantisbt

CVE-2026-52883

·

Published

2026-07-15

·

Updated

2026-07-15

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Unvalidated note type Parameter in mc issue update SOAP Endpoint Allows creation of TIME TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note type integer directly to bugnote add() without validating that the user is authorized to create that type of note. If the user's access level is higher than $g time tracking view threshold, they can also inject arbitrary hours into billing reports.
REST API also allows injection of TIME TRACKING notes (but not REMINDER) through the same mc issue update() function.

Impact

An attacker with UPDATER access could:
  • Inject fake billable hours via TIME TRACKING notes (note type=2), corrupting billing data exported through MantisBT's billing reports. Organizations that bill clients based on MantisBT time tracking data would generate incorrect invoices, and corrupt time tracking reports could be used to drive project management decisions.
  • Fake REMINDER notes registered (but without actual sending of notifications).

Patches

Workarounds

None

Resources

Credits

Thanks to the following security researchers for discovering and responsibly reporting the issue
  • Vishal Shukla
  • Psalms Christopher Matovu (@byteoverride)

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-52883
GHSA-4VPF-W7QV-5H3Q

Affected Products

Mantisbt/Mantisbt