CVE-2026-42070

Published: Mag 28, 2026 Last Modified: Mag 28, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.

863

Incorrect Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: Web Server, Database Server, Not Technology-Specific
Likelihood of Exploit: High
View CWE Details
https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc…
https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17…
https://github.com/mantisbt/mantisbt/security/advisories/GH…
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
https://mantisbt.org/bugs/view.php?id=37089
https://mantisbt.org/bugs/view.php?id=37089
https://mantisbt.org/bugs/view.php?id=37093
https://mantisbt.org/bugs/view.php?id=37093