CVE-2026-42070

UNKNOWN 0.0

MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.

CWE	CWE-863
Vendor	mantisbt
Product	mantisbt
Published	May 28, 2026
Last Updated	Jun 2, 2026

Stay Ahead of the Next One

Get instant alerts for mantisbt mantisbt

Be the first to know when new unknown vulnerabilities affecting mantisbt mantisbt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

mantisbt / mantisbt

< 2.28.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6 github.com: https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435 mantisbt.org: https://mantisbt.org/bugs/view.php?id=37089 mantisbt.org: https://mantisbt.org/bugs/view.php?id=37093