CVE-2026-52883

MEDIUMPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

MantisBT: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs

Unvalidated note_type Parameter in mc_issue_update SOAP Endpoint Allows creation of TIME_TRACKING and REMINDER Notes. The SOAP path passes the user-supplied note_type integer directly to bugnote_add() without validating that the user is authorized to create that type of note. If the user's access level is higher than *$g_time_tracking_view_threshold*, they can also inject arbitrary hours into billing reports.

REST API also allows injection of TIME_TRACKING notes (but not REMINDER) through the same mc_issue_update() function.

Impact

An attacker with UPDATER access could:
  • Inject fake billable hours via TIME_TRACKING notes (note_type=2), corrupting billing data exported through MantisBT's billing reports. Organizations that bill clients based on MantisBT time tracking data would generate incorrect invoices, and corrupt time tracking reports could be used to drive project management decisions.
  • Fake REMINDER notes registered (but without actual sending of notifications).

Patches

  • https://github.com/mantisbt/mantisbt/commit/de2f71fd88746e963386c214c3ae65a3c4c851b7

Workarounds

None

Resources

  • https://mantisbt.org/bugs/view.php?id=37081
  • https://mantisbt.org/bugs/view.php?id=37200

Credits

Thanks to the following security researchers for discovering and responsibly reporting the issue
  • Vishal Shukla
  • Psalms Christopher Matovu (@byteoverride)

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 15, 2026

Last Modified

July 15, 2026

Vendor Advisories for CVE-2026-52883(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Frequently asked(3)

What is CVE-2026-52883?
CVE-2026-52883 is a medium vulnerability published on July 15, 2026. MantisBT: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs Unvalidated notetype Parameter in mcissueupdate SOAP Endpoint Allows creation of TIMETRACKING and REMINDER Notes. The SOAP path passes the user-supplied notetype integer directly to bugnoteadd() without validating that…
When was CVE-2026-52883 disclosed?
CVE-2026-52883 was first published in the National Vulnerability Database on July 15, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-52883?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-52883, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-52883

Explore →

Is Your Infrastructure Affected by CVE-2026-52883?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.