These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
Mantis Bug Tracker (MantisBT) versions prior to 2.28.2 contain a stored cross-site scripting vulnerability that can lead to code execution. An attacker with the ability to upload attachments can craft a malicious XHTML file that references a separate JavaScript attachment. When a victim accesses the file_download.php endpoint with the show_inline=1 parameter and a valid file_show_inline_token CSRF token, [truncated]
Mantis Bug Tracker (MantisBT) versions 1.3.0 through 2.28.1 contain a stored cross-site scripting (XSS) vulnerability in the Project Name field. An attacker with manager or administrator privileges can inject malicious HTML into the Project Name, which renders unescaped on the Move Attachments administrative page. This allows execution of arbitrary scripts in the context of other administrators' sessions. [truncated]
Mantis Bug Tracker (MantisBT) versions 2.23.0 through 2.28.1 contain a missing authorization check in the file visibility function that allows any authenticated user with REPORTER privileges or higher to download attachments on private bugnotes they should not be able to access. The vulnerability affects both the REST API endpoint GET /api/rest/issues/{id}/files and the SOAP API mc_issue_attachment_get en [truncated]
MantisBT versions prior to 2.28.2 contain an authorization bypass in the SOAP API. The mc_issue_update() function permits users with update_bug_threshold access (UPDATER role, default level 25) to modify bugnotes—including view state and time tracking—belonging to other users. This circumvents the mc_issue_note_update() function's intended DEVELOPER threshold (level 55). The vulnerability stems from incon [truncated]
Mantis Bug Tracker (MantisBT) versions 1.0.0 through 2.28.1 contain a stored cross-site scripting (XSS) vulnerability in the `return_dynamic_filters.php` endpoint. The `filter_target` parameter lacks proper validation, allowing an attacker with authenticated access to inject arbitrary HTML when the target is a TEXTAREA custom field. This endpoint is typically invoked via AJAX from the View Issues Page. Th [truncated]
CVE-2026-39960 affects Mantis Bug Tracker versions 2.28.1 and below. According to the CVE description published on 2026-05-20, flawed escaping in the Update Issue page (bug_update_page.php) can let an authenticated low-privilege user inject HTML, and potentially JavaScript if the site’s Content-Security Policy permits script execution. The issue can expose sessions and, in the worst case described, lead t [truncated]
Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior contain an access control flaw where a bugnote author retains access to the note's Revisions page after losing access to the parent private issue. This represents an information disclosure vulnerability (CWE-200) where historical revision data remains exposed despite revocation of issue-level permissions. The vulnerability was fixed in version 2.28.2.
Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior contain an improper access control vulnerability (CWE-284) that allows authenticated users to upload attachments to private issues they are not authorized to access. This represents a broken authorization boundary where the attachment upload functionality fails to validate whether the requesting user has legitimate access to the target issue before a [truncated]
Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior contain an access control flaw where users retain the ability to list and download their own attachments from issues that have been made private by another user. This occurs despite the revocation of read access, resulting in a limited confidentiality breach. The vulnerability stems from improper authorization checks when a user attempts to access at [truncated]
Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior contain an authorization bypass vulnerability in the private issue monitoring feature. An authenticated user with project-level access can craft a POST request to bug_monitor_add.php to add themselves as a monitor for a private issue they cannot otherwise access. The application displays an Access Denied error but still processes the request, creatin [truncated]
A stored cross-site scripting (XSS) vulnerability exists in Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior. The flaw occurs in the issue cloning workflow: when a user clones an issue from a different project, the bug_report_page.php form prepends the source project's name before the category selector without proper HTML escaping. An attacker with manager or administrator privileges—who can set pr [truncated]
Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior contain a privilege escalation vulnerability in the ProjectUsersAddCommand handler (manage_proj_user_add.php). Users with the manage_project_threshold access level (manager by default) can bypass frontend restrictions and forge a higher access_level value to grant project-level administrator access to any user, including themselves, in projects they [truncated]
MantisBT 2.28.0–2.28.1 allows low-privileged users with add_profile_threshold to create global profiles by tampering the user_id parameter, bypassing manage_global_profile_threshold. Fixed in 2.28.2.
CVE-2016-7111 covers a cross-site scripting issue in MantisBT tied to a weak Content Security Policy when the Gravatar plugin is used. NVD classifies it as CWE-79 with a network-reachable attack surface, user interaction required, and low confidentiality/integrity impact.
CVE-2016-5364 is a cross-site scripting flaw in MantisBT's manage_custom_field_edit_page.php. NVD lists affected versions through 1.2.19, and the issue is reachable over the network with no privileges required, but it does require user interaction. The published CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which aligns with a medium-severity web injection issue.