Vulnerability DatabaseCVE-2026-42070
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-42070
Published:May 28, 2026
Updated:June 13, 2026
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2.
Affected Packages
https://github.com/mantisbt/mantisbt.git (GITHUB):
Affected version(s) >=release-1.0.0 <release-2.28.2
Fix Suggestion:
Update to version release-2.28.2
mantisbt/mantisbt (PHP):
Affected version(s) >=dev-dependabot/composer/adodb/adodb-php-5.22.4 <2.28.2
Fix Suggestion:
Update to version 2.28.2
Related Resources (6)
https://mantisbt.org/bugs/view.php?id=37093
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6
https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435
https://github.com/mantisbt/mantisbt
https://nvd.nist.gov/vuln/detail/CVE-2026-42070
https://mantisbt.org/bugs/view.php?id=37089
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Incorrect Authorization
CWE-863
EPSS
Base Score:
0.04