MantisBT 2.28.1 has been released ๐
Security release addressing a critical vulnerability affecting the SOAP API on MySQL (CVE-2026-30849) and two HTML injection / XSS issues with tag names, as well as a few bugs including regressions introduced in 2.28.0.
https://mantisbt.org/blog/archives/mantisbt/811
โ ๏ธ You should upgrade immediately if you're running on MySQL โ ๏ธ
โฆand for those who wondered about the recurring MantisBT example in the screenshots - that is one of my end-to-end scenarios I use to test the practical viability of the Reconcile Engine, including things like volume management.
The scope is deliberately host-centric. It is not a cluster-wide deployment model like Kubernetes, but always framed around something like a sovereign home server, where I simply want to manage and operate my services in a clean and structured way.
For example, running a bug tracker with its database and reverse proxy - or something entirely different, like a Luanti game server for my son.
Some documentation has also started to emerge, because at this point it can no longer really be explained in a one-pager:
#netbsd #devops #modernretrocomputing #luanti #mantisbt #selfhosted #clt2026
What this page gives you This walkthrough is for admins who want one complete, realistic stack example from shipped manifests to running service. You will learn: how a multi-cell stack is modeled in manifests how dependencies (CELL_DEPENDS_ON) enforce rollout order how volume mounts model data ownership and persistence boundaries Shipped example location on NetBSD: /usr/share/examples/cellmgr/mantisbt Topology and dependency graph The MantisBT example has three cells and three volumes:
โ ๏ธ Critical security issue in MantisBT (CVE-2026-30849) will be fixed in version 2.28.1, to be released on Monday 16-Mar-2026 12:00 UTC. Be ready to patch your system right away !
https://mantisbt.org/blog/archives/mantisbt/815
MantisBT 2.28.0 has been released ๐
Maintenance release including nearly 80 enhancements and bug fixes. Highlights: compatibility with PHP 8.4 and 8.5, improved documentation including an OpenAPI Description for the REST API, better Tags management, restored included pages functionality and many others.
MantisBT 2.27.3 Released ๐
Hotfix release addressing a couple of regression issues affecting Admin Checks introduced by 2.27.2.
https://mantisbt.org/blog/archives/mantisbt/799
Several months ago, I found a #vulnerability from #MantisBT - Authentication bypass for some passwords due to PHP type juggling (CVE-2025-47776).
Any account that has a password that results in a hash that matches ^0+[Ee][0-9]+$ can be logged in with a password that matches that regex as well. For example, password comito5 can be used to log in to the affected accounts and thus gain unauthorised access.
The root cause of this bug is the incorrect use of == to match the password hash:
if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password )
The fix is to use === for the comparison.
This vulnerability has existed in MantisBT ever since hashed password support was added (read: decades). MantisBT 2.27.2 and later include a fix to this vulnerability. https://mantisbt.org/download.php
MantisBT 2.27.2 released ๐
Security release. https://mantisbt.org/blog/archives/mantisbt/796
MantisBT 2.27.0 released ๐
Feature and maintenance release. Dropping support for PHP 7.3 and older, Markdown improvements including syntax highlighting for code blocks, Graphs improvements, code cleanup and bug fixes. https://mantisbt.org/blog/archives/mantisbt/778
MantisBT 2.26.4 released ๐
Maintenance and security release https://mantisbt.org/blog/archives/mantisbt/770
mantisbt
Matthias Petermann
Harry Sintonen
rakekniven ๐๏ธ