Mantis 2.28.0
5 January 2026
Mantis version 2.28.0 is now available (major release).
Upgrading to Mantis 2.28.0
Mantis 2.28.0 can be updated to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 2.28.0 upgrade prior to moving it live with Installatron's Sync funtionality. Get started managing Mantis with Installatron
What's New in Mantis 2.28.0
2.27.3
Hotfix release addressing a couple of regression issues affecting Admin Checks introduced by 2.27.2.
Bug Fixes
- 0036619: [administration] Most Admin Checks are disabled in 2.27.2 (dregad)
- 0036620: [administration] PHP Fatal error in Admin Checks of custom fields (atrol)
2.27.2
Maintenance and security release addressing 4 vulnerabilities, fixing several bugs and including a few minor improvements, Many thanks to Harry Sintonen / Reversec for CVE-2025-47776 (GHSA-4v8w-gg5j-ph37), Mazen Mahmoud for CVE-2025-46556 (GHSA-r3jf-hm7q-qfw5), Chaitanya Reddy for CVE-2025-55155 (GHSA-q747-c74m-69pr) and d3vpoo1 for CVE-2025-62520 (GHSA-g582-8vwr-68h2).
Security
- 0036502: [security] CVE-2025-62520: Ability to copy private project configurations (Columns) (atrol)
- 0036005: [security] CVE-2025-55155: Lack of verification when changing a user's email address (dregad)
- 0035893: [security] CVE-2025-46556: Denial-of-Service (DoS) via Excessive Note Length (dregad)
Bug Fixes and Changes
- 0035906: [db schema] Update ADOdb to 5.22.10 (dregad)
- 0036540: [bugtracker] Introduce a maximum PHP version (dregad)
- 0035915: [administration] Updating a global config yields incorrect error message (dregad)
- 0036164: [administration] Impossible to delete a global config defined in the database (dregad)
- 0035668: [api rest] can't change issue category to "no category" via rest api (dregad)
- 0036269: [bugtracker] Collapsed status for "Users monitoring" section is not persisted (dregad)
- 0036265: [feature] Search with collapsed filter section expands it (dregad)
- 0036263: [administration] Error editing categories with PostgreSQL: APPLICATION ERROR 401 (dregad)
- 0036515: [administration] Hardcoded role instead of config in access level check on Manage Columns page (dregad)
- 0036542: [bugtracker] When editing a bugnote, a newline is appended to the text (dregad)
- 0036512: [other] Access Denied page returns HTTP status 200 (dregad)
- 0035854: [tools] PHPUnit assertObjectHasAttribute() method is deprecated (dregad)
- 0035853: [tools] PHPUnit tests RestFiltersTest fail when anonymous access is disabled (dregad)
- 0035852: [api rest] REST API GET /filters throws deprecation warning on PHP 8.1 (dregad)
- 0036503: [bugtracker] Ability to change the default project of a user (dregad)
- 0036257: [bugtracker] Deleted notes not showing in bug history (dregad)
- 0036535: [code cleanup] Custom Field admin checks refactoring (dregad)
- 0021675: [ui] Incorrect positioning of "View Issue Details" when recalled from "Direct link to note" (dregad)
- 0035967: [authentication] CVE-2025-47776: Authentication bypass for some passwords due to PHP type juggling (dregad)