ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ???????????????????????????????????? ???????????????????????????????????? ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ÿØÿà JFIF    ÿÛ „  ( %!1!%)+//.383,7(-.+  -%%-////---/-.+/--+------/------/--0+--/-/-----.-----ÿÀ  ¥2" ÿÄ     ÿÄ J    ! 1AQ"aq2‘#BR‚¡ÁÑ3br’¢±Âð$CSƒ²á4c“%DsÓñÿÄ   ÿÄ *  !1AQa‘"2q3±ð#b¡ÿÚ   ? ¼QxJQaÍuò¸Zö Úü8,ÐÚú "SSn<rçù–´âE—^ªBÖ9À\†¸ÔÁT­ÃÛ5 ëd´³Í#Ý;Þ38œî ¶H£M:wÎ3…³…âpÔF&‚FK¸9„â4àGEõªfÿ ‘ñ(ßw­pŽF|È¥ù®häðÍѶ¹‘[ÒinÙW¶ùñY˜Q{›K"išÒ[Ú8žë\F¹@-?v"ÔU”,ìöžkÿ {I‡£šÍ?e ríV ?> ......................................... ............................................................................. ???????????????????????????????????? ???????????????????????????????????? mantisbt - 2.28.4 Released 2026-07-01 Maintenance and Security release addressing a critical authentication bypass vulnerability in the SOAP API (CVE-2026-47156, thanks to MacCaulay Hudson of watchTowr) as well as 7 other vulnerabilities including SQL injection, remote code execution, Cross-site scripting, missing authorisation and improper input validation (refer to issues in the Change Log for details and security researchers credits). This release also fixes a few bugs, including a regression introduced in 2.28.2. 0037237: [printing] Printing an issue having notes without text triggers PHP error (dregad) 0037250: [ui] The news_list_page.php page does not display news for “All Projects” (community) 0037256: [email] Incorrect log message regarding sent email (community) 0037075: [api soap] SOAP Issue Update Implicitly Reassigns Reporter To The Caller When reporter Is Omitted (dregad) 0037135: [authentication] Fix CSRF validation failure in anonymous login (community) 0037257: [ui] Incorrect identification of a non-default mention tag (dregad) mantisbt - 2.28.3 Released 2026-05-14 Hotfix release, fixing a regression in the reauthentication flow introduced in 2.28.2. 0037130: [authentication] login_password_page.php: CSRF validation fails when called via auth_reauthenticate() (since 2.28.2) (community) mantisbt - 2.28.2 Released 2026-05-09 Important security release, addressing over 15 vulnerabilities; refer to the Change Log for details. We would like to thank the researchers who identified and helped us fix them: Vishal Shukla (@ninjasec), Dracosec Research Limited, Nozomu Sasaki (@morimori-dev) and Tang Cheuk Hei (@siunam). The release also fixes a few bugs and regression issues and improves PHP 8.5 compatibility. 0036819: [authentication] Secure cookies are rejected by the browser (dregad) 0037024: [administration] Incorrect PHP Supported version Admin Check (dregad) 0037023: [administration] Deprecated error in PHP 8.5 when checking the installation in the admin panel (dregad) 0037022: [tagging] Undefined array key error in tag_bug_get* functions when given an invalid Issue ID (community) 0037019: [ui] User's chosen font overwritten when saving preferences (dregad) 0037010: [tools] Github Actions: deprecated actions warning (dregad) 0037006: [code cleanup] Abort user verification early if given user id is not valid (dregad) 0037005: [bugtracker] user_get_row() does not throw exception when given invalid user id (dregad) 0036995: [security] CVE-2026-34390: Privilege Escalation from Manager to Administrator role per project basis (dregad) 0036991: [security] Improve protection against CSV injection (dregad) 0036990: [ui] Duplicated layout in View Filters Page when filter is not accessible (dregad) 0036969: [plug-ins] Unknown category error in the MantisGraph plugin. (dregad) 0036974: [security] CVE-2026-33052: Authorization Bypass in Global Profile Creation via account_prof_update.php (dregad) 0036987: [csv] csv_escape_string: incorrect result with int/float custom values when csv_injection_protection is active (dregad) 0036986: [security] CVE-2026-34463: Stored HTML Injection/XSS in Clone Issue Form via Unescaped Project Name (dregad) 0036985: [security] CVE-2026-42071: REST Issue File Listing Leaks Attachments From Hidden Private Bugnotes (dregad) 0036978: [security] CVE-2026-34970: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked (dregad) 0032998: [administration] Call to undefined function mci_get_project_id() when removing a user from a project (vboctor) 0036975: [security] CVE-2026-34579: Authorization bypass in private issue monitoring allows unauthorized users to subscribe to restricted issues (dregad) 0036977: [security] CVE-2026-34744: Authorization bypass allows users to read their own attachments after losing access to a private issue (dregad) 0036976: [security] CVE-2026-34754: Authorization Bypass Allows Uploading Attachments to Private Issues via REST (dregad) 0037099: [security] CVE-2026-44655: XSS in move_attachments_page.php (dregad) 0037089: [security] CVE-2026-42070: REST/SOAP mc_issue_update Embedded Note Update Bypasses Note-Level Authorization (dregad) 0037020: [security] CVE-2026-44657: Stored XSS in File Download (dregad) 0037016: [security] CVE-2026-40597: Content Security Policy bypass via attachments (dregad) 0037015: [security] CVE-2026-40607: Stored XSS in Saved-Filter Owner Column (Manager+) (dregad) 0037013: [security] CVE-2026-41897: Reflected XSS in Rendering Dynamic Custom Textarea Field (dregad) 0037017: [security] CVE-2026-40598 : Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page (dregad) 0037011: [security] CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference (dregad) 0037003: [security] CVE-2026-39960: Stored XSS in Custom Field Textarea Values (dregad) mantisbt - 2.28.1 Released 2026-03-16 Maintenance and security release addressing a critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849, thanks to Alexander Philiotis of SynerComm) and two HTML injection / XSS issues with tag names (CVE not yet assigned, credits to Vishal Shukla). The release also fixes a few bugs including regression issues introduced in 2.28.0. 0036810: [bugtracker] Accessing bug_report_page.php (and other pages) anonymously results in blank page (dregad) 0036971: [security] Stored HTML Injection / XSS in Tag Delete Confirmation via Unescaped Tag Name (dregad) 0036973: [security] Stored HTML Injection / XSS in my_view_page.php Timeline via Unescaped Historic Tag Name (dregad) 0036818: [api soap] Call to undefined function date_timestamp_to_iso8601() (dregad) 0036855: [bugtracker] Application error on bug_relationship_graph.php page (community) 0036860: [tools] Update PHPUnit to 9.6.34 (dregad) 0036823: [email] Update PHPMailer to 7.0.2 (dregad) 0036972: [localization] Invalid use of {{GENDER:*}} tag in French language strings (dregad)