mantisbt - 2.28.3 Released 2026-05-14
Hotfix release, fixing a regression in the reauthentication flow introduced in 2.28.2.
0037130: [authentication] login_password_page.php: CSRF validation fails when called via auth_reauthenticate() (since 2.28.2) (community)
mantisbt - 2.28.2 Released 2026-05-09
Important security release, addressing over 15 vulnerabilities; refer to the Change Log for details. We would like to thank the researchers who identified and helped us fix them: Vishal Shukla (@ninjasec), Dracosec Research Limited, Nozomu Sasaki (@morimori-dev) and Tang Cheuk Hei (@siunam). The release also fixes a few bugs and regression issues and improves PHP 8.5 compatibility.
0036819: [authentication] Secure cookies are rejected by the browser (dregad)
0037024: [administration] Incorrect PHP Supported version Admin Check (dregad)
0037023: [administration] Deprecated error in PHP 8.5 when checking the installation in the admin panel (dregad)
0037022: [tagging] Undefined array key error in tag_bug_get* functions when given an invalid Issue ID (community)
0037019: [ui] User's chosen font overwritten when saving preferences (dregad)
0037010: [tools] Github Actions: deprecated actions warning (dregad)
0037006: [code cleanup] Abort user verification early if given user id is not valid (dregad)
0037005: [bugtracker] user_get_row() does not throw exception when given invalid user id (dregad)
0036995: [security] CVE-2026-34390: Privilege Escalation from Manager to Administrator role per project basis (dregad)
0036991: [security] Improve protection against CSV injection (dregad)
0036990: [ui] Duplicated layout in View Filters Page when filter is not accessible (dregad)
0036969: [plug-ins] Unknown category error in the MantisGraph plugin. (dregad)
0036974: [security] CVE-2026-33052: Authorization Bypass in Global Profile Creation via account_prof_update.php (dregad)
0036987: [csv] csv_escape_string: incorrect result with int/float custom values when csv_injection_protection is active (dregad)
0036986: [security] CVE-2026-34463: Stored HTML Injection/XSS in Clone Issue Form via Unescaped Project Name (dregad)
0036985: [security] CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes (dregad)
0036978: [security] CVE-2026-34970: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked (dregad)
0032998: [administration] Call to undefined function mci_get_project_id() when removing a user from a project (vboctor)
0036975: [security] CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues (dregad)
0036977: [security] CVE-2026-34744: Authorization bypass allows users to read their own attachments after losing access to a private issue (dregad)
0036976: [security] CVE-2026-34754: Authorization Bypass Allows Uploading Attachments to Private Issues via REST (dregad)
0037099: [security] CVE-2026-44655: XSS in move_attachments_page.php (dregad)
0037089: [security] CVE-2026-42070: REST/SOAP mc_issue_update Embedded Note Update Bypasses Note-Level Authorization (dregad)
0037020: [security] CVE-2026-44657: Stored XSS in File Download (dregad)
0037016: [security] CVE-2026-40597: Content Security Policy bypass via attachments (dregad)
0037015: [security] CVE-2026-40607: Stored XSS in Saved-Filter Owner Column (Manager+) (dregad)
0037013: [security] CVE-2026-41897: Reflected XSS in Rendering Dynamic Custom Textarea Field (dregad)
0037017: [security] CVE-2026-40598 : Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page (dregad)
0037011: [security] CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference (dregad)
0037003: [security] CVE-2026-39960: Stored XSS in Custom Field Textarea Values (dregad)
mantisbt - 2.28.1 Released 2026-03-16
Maintenance and security release addressing a critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849, thanks to Alexander Philiotis of SynerComm) and two HTML injection / XSS issues with tag names (CVE not yet assigned, credits to Vishal Shukla). The release also fixes a few bugs including regression issues introduced in 2.28.0.
0036810: [bugtracker] Accessing bug_report_page.php (and other pages) anonymously results in blank page (dregad)
0036971: [security] Stored HTML Injection / XSS in Tag Delete Confirmation via Unescaped Tag Name (dregad)
0036973: [security] Stored HTML Injection / XSS in my_view_page.php Timeline via Unescaped Historic Tag Name (dregad)
0036818: [api soap] Call to undefined function date_timestamp_to_iso8601() (dregad)
0036855: [bugtracker] Application error on bug_relationship_graph.php page (community)
0036860: [tools] Update PHPUnit to 9.6.34 (dregad)
0036823: [email] Update PHPMailer to 7.0.2 (dregad)
0036972: [localization] Invalid use of {{GENDER:*}} tag in French language strings (dregad)
mantisbt - 2.28.0 Released 2025-12-29
Maintenance release including nearly 80 enhancements and bug fixes. Highlights: compatibility with PHP 8.4 and 8.5, improved documentation including an OpenAPI Description for the REST API, better Tags management, restored included pages functionality and many others.
0026740: [plug-ins] Improve documentation for plugin_require_api() and plugin_event_hook() (dregad)
0035227: [markdown] MantisBT is not compatible with Parsedown 1.8 (community)
0035258: [other] Use of PHPUnit::toString() sometimes causes errors in tests (dregad)
0034960: [api soap] SOAP: Update WSDL viewer to version 3.1.03 (dregad)
0035038: [ui] Text on the relationship and workflow graphs are rendered cropped (community)
0035082: [plug-ins] Allow plugin_file_path() to return the files directory and use the current plugin by default (community)
0035230: [code cleanup] Use generic language strings for Tags management pages (dregad)
0035070: [plug-ins] Unable to retrieve values of arbitrary fields from LDAP. (dregad)
0035229: [tagging] Allow direct editing of tags from Manage Tags page (dregad)
0005271: [other] Support NoFollow hyperlinks for external urls (community)
0035228: [tagging] View and Update tag pages are not integrated in the Manage Tags menu (dregad)
0035223: [other] MantisBT tests are not compatible with PHPUnit 11.5 (community)
0035208: [plug-ins] Improve error handling for invalid plugins (dregad)
0035210: [ui] Incorrect handling of relative URLs in helper_get_root_domain() function and caller one (dregad)
0035212: [tools] GetLinkAttributesTest does not reset html_make_links config after tests (dregad)
0035211: [bugtracker] Core should allow detecting whether a config is set in the database (dregad)
0035219: [tagging] Number of related tags is no longer limited (dregad)
0034876: [bugtracker] When moving issues, it should not be possible to select the current project as target (dregad)
0034848: [reports] MantisGraph: view all data values when hovering over line (dregad)
0034847: [reports] Upgrade chart.js library to 3.9.1 (dregad)
0034824: [performance] Multiple execution of the same query with Profile API functions (dregad)
0006803: [bugtracker] Allow adding a note when moving an Issue to another project (dregad)
0010027: [tagging] Switching project on the Update Tag page gives APPLICATION ERROR 200 (dregad)
0022607: [tagging] Clean up unused tags (dregad)
0035259: [code cleanup] Add namespaces to PHPUnit test suite (dregad)
0035260: [administration] Project names should be trimmed before project creation or update (vboctor)
0035425: [ui] Inconsistent display in navbar user menu (dregad)
0035439: [performance] Multiple loads of plugins on the manage_plugin_page (community)
0035525: [bugtracker] gpc_get_int() should not remove spaces in the middle of the string (dregad)
0035551: [administration] Improve output of log events when $g_log_destination = 'page' (dregad)
0035402: [html] Footer has the wrong size (community)
0035544: [db postgresql] Attempt to update the category in the “Edit Project Category” form results in an error (dregad)
0021113: [plug-ins] EVENT_LAYOUT_PAGE_HEADER no longer available (community)
0022098: [customization] Setting bottom_include_page does not include specified file (community)
0035568: [code cleanup] Calling layout_page_header() without parameters throws deprecation warning on PHP 8.1 (dregad)
0035561: [ui] "Access Denied" page has no layout for anonymous account (community)
0036438: [plug-ins] MantisCoreFormatting: Error when saving configuration (atrol)
0035552: [ui] Inline error messages are sometimes displayed behind the navbar (dregad)
0035583: [bugtracker] Delayed inline errors are not printed on login page (dregad)
0036614: [code cleanup] PHP 8.5 compatibility (dregad)
0036618: [db schema] Update ADOdb to 5.22.11 (dregad)
0036617: [code cleanup] PHP 8.5: Increment on non-numeric string is deprecated (dregad)
0036616: [code cleanup] PHP 8.5: case followed by semicolon deprecations (dregad)
0036615: [code cleanup] PHP 8.5: non-canonical cast deprecations (dregad)
0035647: [documentation] Outdated build status in README.md (atrol)
0035562: [ui] If user is anonymous, page footer overlaps with error message (community)
0035587: [administration] Access Denied page's Login button has Invalid URL when triggered from Admin pages (dregad)
0035874: [email] Update PHPMailer to 7.0.1 (dregad)
0036621: [plug-ins] Support moderation via plugins (vboctor)
0035646: [documentation] Wrong code example in Admin Guide (atrol)
0036624: [email] Changing email address is no longer possible (atrol)
0035645: [ui] Some widgets are not collapsible (community)
0035644: [ui] Extra page load due to dropzone <img> stub tag (community)
0036786: [email] Calling email API functions from CLI triggers PHP warning (dregad)
0034649: [ui] Reorder group update actions in selection list (atrol)
0036765: [plug-ins] The plugin_get_current() function returns an incorrect value when executed from MantisPlugin::schema() (dregad)
0034928: [bugtracker] Date conversion fails using a non-US date format in VersionUpdateCommand.php (dregad)
0034938: [other] Update htmlpurifier to 4.19.0 (dregad)
0035756: [api rest] Update Guzzle to 7.10.0 (dregad)
0035540: [installation] A clean installation ends with Internal Server Error with no message/detail given (dregad)
0035207: [ui] Early inline warnings mess up with page layout (dregad)
0036510: [ui] Increase spacing before lock icon on relationship to private issue (dregad)
0035503: [html] The MantisBT web interface must pass HTML validation (part 2) (community)
0035288: [email] Support custom email sending providers (vboctor)
0036278: [email] Incorrect relationship type in email notifications (vboctor)
0035424: [code cleanup] Use new string_build_query() API function (community)
0035626: [ui] Main menu custom option with non-http absolute URL displayed incorrectly (community)
0006159: [documentation] Sticky Issues: document usage (dregad)
0014508: [documentation] Document usage of "Stick" Button in View Issue Details page (dregad)
0022250: [ui] Remove useless spacing in the footer (community)
0034823: [api rest] Create an OpenAPI Description for REST API (vboctor)
0035216: [code cleanup] PHP 8.4 compatibility (dregad)
0035217: [markdown] PHP 8.4 deprecation warnings in Parsedown 1.7.4 (dregad)
0035214: [code cleanup] PHP 8.4: fputcsv() empty $escape parameter is deprecated (dregad)
0035213: [code cleanup] PHP 8.4: E_STRICT is deprecated (dregad)
0035284: [api rest] Allow REST API to run on PHP 8.4 ignoring E_DEPRECATED notices (dregad)
0035215: [code cleanup] PHP 8.4: Implicitly nullable parameter types are deprecated (dregad)
0035283: [api soap] PHP 8.4: SOAP API throws SoapFault: Internal Service Error (dregad)
mantisbt - 2.27.3 Released 2025-11-03
Hotfix release addressing a couple of regression issues affecting Admin Checks introduced by 2.27.2.
0036619: [administration] Most Admin Checks are disabled in 2.27.2 (dregad)
0036620: [administration] PHP Fatal error in Admin Checks of custom fields (atrol)| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| images | Folder | 0755 |
|
|
| php53 | Folder | 0755 |
|
|
| php56 | Folder | 0755 |
|
|
| php71 | Folder | 0755 |
|
|
| php81 | Folder | 0755 |
|
|
| php82 | Folder | 0755 |
|
|
| changelog.txt | File | 11.97 KB | 0644 |
|
| clone.php | File | 5.65 KB | 0644 |
|
| config_inc.php | File | 3.57 KB | 0644 |
|
| edit.php | File | 5.51 KB | 0644 |
|
| edit.xml | File | 433 B | 0644 |
|
| fileindex.php | File | 4.82 KB | 0644 |
|
| import.php | File | 3.26 KB | 0644 |
|
| info.xml | File | 3.73 KB | 0644 |
|
| install.js | File | 921 B | 0644 |
|
| install.php | File | 3.94 KB | 0644 |
|
| install.xml | File | 4.19 KB | 0644 |
|
| mantis.sql | File | 22.79 KB | 0644 |
|
| mantis.zip | File | 16.81 MB | 0644 |
|
| md5 | File | 3.08 KB | 0644 |
|
| notes.txt | File | 1012 B | 0644 |
|
| upgrade.php | File | 4.6 KB | 0644 |
|
| upgrade.xml | File | 298 B | 0644 |
|