threat
engine
.sh
Back
·
··:··
Home
/
Product
/
mantisbt
Product
mantisbt
127 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-33548
all versions
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from Hi
6.1
MEDIUM
CVE-2026-33517
all versions
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper e
6.1
MEDIUM
CVE-2026-30849
< 2.28.1
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affe
9.8
CRITICAL
CVE-2025-62520
< 2.27.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level chec
4.3
MEDIUM
CVE-2025-55155
< 2.27.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to ch
5.4
MEDIUM
CVE-2025-47776
< 2.27.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Due to incorrect use of loose (==) instead of strict (===) comparis
9.1
CRITICAL
CVE-2025-46556
< 2.27.2
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt is
6.5
MEDIUM
CVE-2024-45792
< 2.26.4
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Using a crafted POST request, an unprivileged, registered user is a
6.5
MEDIUM
CVE-2024-34081
< 2.26.2
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Improper escaping of a custom field's name allows an attacker to i
6.6
MEDIUM
CVE-2024-34080
< 2.26.2
MantisBT (Mantis Bug Tracker) is an open source issue tracker. If an issue references a note that belongs to another issue that th
5.3
MEDIUM
CVE-2024-34077
< 2.26.2
MantisBT (Mantis Bug Tracker) is an open source issue tracker. Insufficient access control in the registration and password reset
7.3
HIGH
CVE-2024-23830
< 2.26.1
MantisBT is an open source issue tracker. Prior to version 2.26.1, an unauthenticated attacker who knows a user's email address an
8.3
HIGH
CVE-2023-49802
< 2.0.1
The LinkedCustomFields plugin for MantisBT allows users to link values between two custom fields, creating linked drop-downs. Prio
6.7
MEDIUM
CVE-2023-44394
< 2.25.8
MantisBT is an open source bug tracker. Due to insufficient access-level checks on the Wiki redirection page, any user can reveal
4.3
MEDIUM
CVE-2023-22476
< 2.25.6
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions prior to 2.25.6, due to insufficient access-level check
4.3
MEDIUM
CVE-2022-33910
< 2.25.5
An XSS vulnerability in MantisBT before 2.25.5 allows remote attackers to attach crafted SVG documents to issue reports or bugnote
5.4
MEDIUM
CVE-2022-28508
< 2.25.2
An XSS issue was discovered in browser_search_plugin.php in MantisBT before 2.25.2. Unescaped output of the return parameter allow
6.1
MEDIUM
CVE-2021-43257
< 2.25.3
Lack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute cod
7.8
HIGH
CVE-2022-26144
< 2.25.3
An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if C
6.1
MEDIUM
CVE-2021-33557
< 2.25.2
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return paramet
6.1
MEDIUM
CVE-2009-20001
< 2.24.5
An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset u
8.1
HIGH
CVE-2020-35571
<= 2.24.3
An issue was discovered in MantisBT through 2.24.3. In the helper_ensure_confirmed call in manage_custom_field_update.php, the cus
6.1
MEDIUM
CVE-2020-29605
< 2.24.4
An issue was discovered in MantisBT before 2.24.4. Due to insufficient access-level checks, any logged-in user allowed to perform
4.3
MEDIUM
CVE-2020-29604
< 2.24.4
An issue was discovered in MantisBT before 2.24.4. A missing access check in bug_actiongroup.php allows an attacker (with rights t
6.5
MEDIUM
CVE-2020-29603
< 2.24.4
In manage_proj_edit_page.php in MantisBT before 2.24.4, any unprivileged logged-in user can retrieve Private Projects' names via t
4.3
MEDIUM
CVE-2020-36192
< 2.4.1
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary fie
5.3
MEDIUM
CVE-2020-28413
all versions
In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP.
5.3
MEDIUM
CVE-2020-35849
< 2.24.4
An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bug_revision_view_page.php allows an unprivileged
7.5
HIGH
CVE-2020-25830
< 2.24.3
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML an
4.8
MEDIUM
CVE-2020-25781
< 2.24.3
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able
4.3
MEDIUM
CVE-2020-25288
< 2.24.3
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular
4.8
MEDIUM
CVE-2020-16266
< 2.24.2
An XSS issue was discovered in MantisBT before 2.24.2. Improper escaping on view_all_bug_page.php allows a remote attacker to inje
5.4
MEDIUM
CVE-2019-15539
< 2.21.3
The proj_doc_edit_page.php Project Documentation feature in MantisBT before 2.21.3 has a stored cross-site scripting (XSS) vulnera
6.1
MEDIUM
CVE-2020-8981
< 1.6.2
A cross-site scripting (XSS) vulnerability was discovered in the Source Integration plugin before 1.6.2 and 2.x before 2.3.1 for M
6.1
MEDIUM
CVE-2009-2802
>= 1.2.0 and < 1.2.2
MantisBT 1.2.x before 1.2.2 insecurely handles attachments and MIME types. Arbitrary inline attachment rendering could lead to cro
6.1
MEDIUM
CVE-2013-1811
< 1.2.13
An access control issue in MantisBT before 1.2.13 allows users with "Reporter" permissions to change any issue to "New".
4.3
MEDIUM
CVE-2013-1934
>= 1.2.1 and <= 1.2.14
A cross-site scripting (XSS) vulnerability in the configuration report page (adm_config_report.php) in MantisBT 1.2.0rc1 before 1.
5.4
MEDIUM
CVE-2013-1932
all versions
A cross-site scripting (XSS) vulnerability in the configuration report page (adm_config_report.php) in MantisBT 1.2.13 allows remo
5.4
MEDIUM
CVE-2013-1931
all versions
A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14 allows remote attackers to inject arbitrary web script or HTML via a
6.1
MEDIUM
CVE-2013-1930
>= 1.2.12 and < 1.2.15
MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.
4.3
MEDIUM
CVE-2019-15715
>= 1.0.0 and < 1.3.20
MantisBT before 1.3.20 and 2.22.1 allows Post Authentication Command Injection, leading to Remote Code Execution.
7.2
HIGH
CVE-2019-15074
>= 2.13.0 and <= 2.21.1
The Timeline feature in my_view_page.php in MantisBT through 2.21.1 has a stored cross-site scripting (XSS) vulnerability, allowin
9.6
CRITICAL
CVE-2018-16514
>= 2.1.0 and <= 2.17.0
A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) and Edit Filter page (manage_filter_ed
4.7
MEDIUM
CVE-2018-9839
<= 1.3.14
An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a crafted request on bug_report_page.php (modifying the 'm_id
6.5
MEDIUM
CVE-2018-17783
>= 2.1.0 and <= 2.17.1
A cross-site scripting (XSS) vulnerability in the Edit Filter page (manage_filter_edit page.php) in MantisBT 2.1.0 through 2.17.1
5.4
MEDIUM
CVE-2018-17782
>= 2.1.0 and <= 2.17.1
A cross-site scripting (XSS) vulnerability in the Manage Filters page (manage_filter_page.php) in MantisBT 2.1.0 through 2.17.1 al
5.4
MEDIUM
CVE-2018-16362
< 1.5.9
An issue was discovered in the Source Integration plugin before 1.5.9 and 2.x before 2.1.5 for MantisBT. A cross-site scripting (X
6.1
MEDIUM
CVE-2018-14504
>= 2.0.0 and <= 2.15.0
An issue was discovered in manage_filter_edit_page.php in MantisBT 2.x through 2.15.0. A cross-site scripting (XSS) vulnerability
6.1
MEDIUM
CVE-2018-13055
>= 2.1.0 and <= 2.15.0
A cross-site scripting (XSS) vulnerability in the View Filters page (view_filters_page.php) in MantisBT 2.1.0 through 2.15.0 allow
6.1
MEDIUM
CVE-2018-6526
<= 2.10.0
view_all_bug_page.php in MantisBT 2.10.0-development before 2018-02-02 allows remote attackers to discover the full path via an in
5.3
MEDIUM
CVE-2018-6382
all versions
MantisBT 2.10.0 allows local users to conduct SQL Injection attacks via the vendor/adodb/adodb-php/server.php sql parameter in a r
3.3
LOW
CVE-2014-9624
<= 1.2.18
CAPTCHA bypass vulnerability in MantisBT before 1.2.19.
7.5
HIGH
CVE-2015-2046
all versions
Cross-site scripting (XSS) vulnerability in MantisBT 1.2.13 and later before 1.2.20.
6.1
MEDIUM
CVE-2014-9701
<= 1.2.18
Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject
6.5
MEDIUM
CVE-2017-12419
all versions
If, after successful installation of MantisBT through 2.5.2 on MySQL/MariaDB, the administrator does not remove the 'admin' direct
4.9
MEDIUM
CVE-2017-12062
all versions
An XSS issue was discovered in manage_user_page.php in MantisBT 2.x before 2.5.2. The 'filter' field is not sanitized before being
6.1
MEDIUM
CVE-2017-12061
>= 1.3.0 and < 1.3.12
An XSS issue was discovered in admin/install.php in MantisBT before 1.3.12 and 2.x before 2.5.2. Some variables under user control
6.1
MEDIUM
CVE-2015-5059
<= 1.2.19
The "Project Documentation" feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold
5.3
MEDIUM
CVE-2017-7620
<= 1.3.10
MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits a backslash check in string_api.php and consequently has co
6.5
MEDIUM
CVE-2017-7897
all versions
A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x before 2.3.2) Timeline include page, used in My View (my_view_pa
6.1
MEDIUM
CVE-2017-7615
<= 2.3.0
MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.
8.8
HIGH
CVE-2017-7309
all versions
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attacke
4.8
MEDIUM
CVE-2017-7241
all versions
A cross-site scripting (XSS) vulnerability in the MantisBT Move Attachments page (move_attachments_page.php, part of admin tools)
4.8
MEDIUM
CVE-2017-6973
all versions
A cross-site scripting (XSS) vulnerability in the MantisBT Configuration Report page (adm_config_report.php) allows remote attacke
4.8
MEDIUM
CVE-2017-7222
<= 2.1.0
A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 allows remote attackers to inject arbitrary HTML or JavaScript
6.1
MEDIUM
CVE-2017-6958
<= 2.0.1
An XSS vulnerability in the MantisBT Source Integration Plugin (before 2.0.2) search result page allows an attacker to inject arbi
6.1
MEDIUM
CVE-2017-6799
<= 2.2.0
A cross-site scripting (XSS) vulnerability in view_filters_page.php in MantisBT before 2.2.1 allows remote attackers to inject arb
6.1
MEDIUM
CVE-2017-6797
< 1.3.7
A cross-site scripting (XSS) vulnerability in bug_change_status_page.php in MantisBT before 1.3.7 and 2.x before 2.2.1 allows remo
6.1
MEDIUM
CVE-2016-7111
<= 1.3.0
MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows
4.7
MEDIUM
CVE-2016-5364
<= 1.2.19
Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attacke
6.1
MEDIUM
CVE-2016-6837
<= 1.2.18
Cross-site scripting (XSS) vulnerability in MantisBT Filter API in MantisBT versions before 1.2.19, and versions 2.0.0-beta1, 1.3.
6.1
MEDIUM
CVE-2014-9759
all versions
Incomplete blacklist vulnerability in the config_is_private function in config_api.php in MantisBT 1.3.x before 1.3.0 allows remot
5.3
MEDIUM
CVE-2014-8987
all versions
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) i
CVE-2015-1042
all versions
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, w
CVE-2014-9573
<= 1.2.18
SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administ
CVE-2014-9572
<= 1.2.18
MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote atta
CVE-2014-9571
<= 1.2.18
Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remot
CVE-2014-9272
all versions
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which
CVE-2014-9271
all versions
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to injec
5.4
MEDIUM
CVE-2014-9269
all versions
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project
CVE-2014-9506
<= 1.2.17
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related
CVE-2014-9388
<= 1.2.17
bug_report.php in MantisBT before 1.2.18 allows remote attackers to assign arbitrary issues via the handler_id parameter.
CVE-2014-8553
<= 1.2.17
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtai
CVE-2014-6316
<= 1.2.17
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remo
CVE-2014-9281
<= 1.2.17
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbit
CVE-2014-9280
<= 1.2.17
The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute
CVE-2014-9279
all versions
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attac
CVE-2014-9270
all versions
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisB
CVE-2014-9117
<= 1.2.17
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypa
CVE-2014-9089
<= 1.2.17
Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitr
CVE-2014-8988
all versions
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_t
CVE-2014-8986
all versions
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.
CVE-2014-8598
<= 1.2.17
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML
CVE-2014-7146
all versions
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1)
CVE-2014-8554
<= 1.2.17
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 al
CVE-2014-6387
<= 1.2.17
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byt
CVE-2013-1883
all versions
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption)
CVE-2013-1810
all versions
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users wi
CVE-2013-0197
all versions
Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 bef
CVE-2014-1609
<= 1.2.15
Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unsp
CVE-2014-1608
<= 1.2.15
SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attac
CVE-2014-2238
all versions
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remo
CVE-2013-4460
all versions
Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated
CVE-2012-5523
<= 1.2.11
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, w
CVE-2012-5522
<= 1.2.11
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug
CVE-2012-1123
<= 1.2.8
The mci_check_login function in api/soap/mc_api.php in the SOAP API in MantisBT before 1.2.9 allows remote attackers to bypass aut
CVE-2012-1122
<= 1.2.8
bug_actiongroup.php in MantisBT before 1.2.9 does not properly check the report_bug_threshold permission of the receiving project
CVE-2012-1121
<= 1.2.8
MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1)
CVE-2012-1120
<= 1.2.8
The SOAP API in MantisBT before 1.2.9 does not properly enforce the bugnote_allow_user_edit_delete and delete_bug_threshold permis
CVE-2012-1119
<= 1.2.8
MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug
CVE-2012-1118
<= 1.2.8
The access_has_bug_level function in core/access_api.php in MantisBT before 1.2.9 does not properly restrict access when the priva
CVE-2012-2692
<= 1.2.10
MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, whi
CVE-2012-2691
<= 1.2.10
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remot
CVE-2011-3755
all versions
MantisBT 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the inst
CVE-2011-3578
<= 1.2.7
Cross-site scripting (XSS) vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to injec
CVE-2011-3358
<= 1.2.7
Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.8 allow remote attackers to inject arbitrary web script
CVE-2011-3357
<= 1.2.7
Directory traversal vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to include and
CVE-2011-3356
<= 1.2.7
Multiple cross-site scripting (XSS) vulnerabilities in config_defaults_inc.php in MantisBT before 1.2.8 allow remote attackers to
CVE-2011-2938
<= 1.2.6
Multiple cross-site scripting (XSS) vulnerabilities in filter_api.php in MantisBT before 1.2.7 allow remote attackers to inject ar
CVE-2010-4350
<= 1.2.3
Directory traversal vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to include and
CVE-2010-4349
<= 1.2.3
admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to obtain sensitive information via an invalid db_ty
CVE-2010-4348
<= 1.2.3
Cross-site scripting (XSS) vulnerability in admin/upgrade_unattended.php in MantisBT before 1.2.4 allows remote attackers to injec
CVE-2010-3763
<= 1.2.2
Cross-site scripting (XSS) vulnerability in core/summary_api.php in MantisBT before 1.2.3 allows remote attackers to inject arbitr
CVE-2010-3303
<= 1.2.2
Multiple cross-site scripting (XSS) vulnerabilities in MantisBT before 1.2.3 allow remote authenticated administrators to inject a
CVE-2010-2802
<= 1.2.1
Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script
CVE-2010-2574
all versions
Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators t
CVE-2008-3102
all versions
Mantis 1.1.x through 1.1.2 and 1.2.x through 1.2.0a2 does not set the secure flag for the session cookie in an https session, whic
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin