Back to search
CVE-2026-42070
Published: May 28, 2026
Modified: Jun 2, 2026
PUBLISHED
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
| Vendor | Product | Versions |
|---|---|---|
mantisbt | mantisbt | affected < 2.28.2 |
Weaknesses (CWE)
References
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
x_refsource_CONFIRM
https://mantisbt.org/bugs/view.php?id=37089
x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=37093
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now