Ddos 
Security researchers have identified a trio of significant vulnerabilities within MantisBT, the popular open-source issue tracking system used by teams worldwide for project collaboration. The flaws range from high-impact Cross-Site Scripting (XSS) to a critical authentication bypass that could allow attackers to hijack user accounts.
The most severe vulnerability, tracked as CVE-2026-30849 (CVSS 9.3), targets MantisBT instances specifically running on MySQL or compatible database backends.
The flaw stems from improper type checking on the password parameter within the SOAP API. Because MySQL performs implicit type conversion from strings to integers, an attacker can bypass the login process.
By using a specifically crafted SOAP envelope, an attacker who simply knows a victim’s username can log in without the actual password.
Once inside, the attacker can execute any API function the victim has access to. All versions up to 2.28.1 are at risk.
In addition to the authentication bypass, two high-severity HTML injection vulnerabilities have been disclosed, both carrying a CVSS score of 8.6.
- Tag Delete Confirmation (CVE-2026-33517): Improper escaping of tag names in tag_delete.php allows an attacker to inject malicious HTML. If Content Security Policy (CSP) settings are weak, this can lead to the execution of arbitrary JavaScript.
- Timeline History (CVE-2026-33548): A similar flaw exists in how tag names are retrieved from history and displayed on the Timeline (my_view_page.php). This occurs when a tag that has been renamed or deleted is viewed, potentially triggering a Cross-Site Scripting (XSS) attack.
The MantisBT development team has moved quickly to release patches for these issues. Organizations are urged to update their installations immediately to the latest versions.
If you cannot update immediately, researchers suggest several stop-gap measures:
- For the Auth Bypass: Disabling the SOAP API significantly reduces risk, though it may still allow for limited information disclosure, such as real names and email addresses.
- For the Timeline XSS: Administrators can manually edit offending History entries via SQL or modify the TimelineEvent::html() code to properly wrap tag names in a specialchars call.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
