Which versions of Mantisbt are affected by EUVD-2026-14516?

CVE-2026-30849 presents critical security risk rated CVSS 9.3. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems.. A patch is available.

How to fix or mitigate EUVD-2026-14516?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Mantisbt EUVD-2026-14516

Q: What is the CVSS score of EUVD-2026-14516?

EUVD-2026-14516 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-30849 CRITICAL

Authentication Bypass by Primary Weakness (CWE-305)

2026-03-23 GitHub_M

Authentication Bypass Mantisbt

9.3

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 23, 2026 - 19:30 euvd

EUVD-2026-14516

Analysis Generated

Mar 23, 2026 - 19:30 vuln.today

CVE Published

Mar 23, 2026 - 19:10 nvd

CRITICAL 9.3

DescriptionGitHub Advisory

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. Version 2.28.1 contains a patch. Disabling the SOAP API significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name.

AnalysisAI

MantisBT versions prior to 2.28.1 contain an authentication bypass vulnerability in the SOAP API caused by improper type checking on the password parameter when running on MySQL family databases. An attacker who knows a victim's username can log in to the SOAP API without knowing the correct password and execute any API function available to that account. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious SOAP envelope with integer password

Exploit

Send to MantisBT SOAP API endpoint

Execution

Bypass authentication via type conversion

Impact

Execute arbitrary API functions as victim