MantisBT SQL Injection via history_order Configuration Value
MantisBT versions 2.28.3 and earlier are vulnerable to a SQL injection within the `history_order` configuration value in `core/history_api.php`, allowing an authenticated administrator to inject malicious SQL via the web UI or REST API, which then executes whenever any user views a bug with history entries, leading to sensitive data extraction and potential Remote Code Execution (RCE) via webshell if the MySQL FILE privilege is enabled.
MantisBT versions 2.28.3 and earlier are affected by a high-severity SQL injection vulnerability, identified as CVE-2026-47142. This flaw exists in core/history_api.php, where the history_order configuration value is unsafely concatenated into a SQL ORDER BY clause without proper sanitization or parameterization. An authenticated administrator can exploit this by injecting malicious SQL when setting the history_order value via the web UI (adm_config_set.php) or the REST API (PATCH /api/rest/config). Once injected, the payload executes whenever any user views a bug that includes history entries. Successful exploitation can lead to sensitive data exfiltration from the bugtracker database, including user credentials and API tokens. If the underlying MySQL server has the FILE privilege enabled, this vulnerability can escalate to full Remote Code Execution (RCE) by writing a PHP webshell to the web root.
Attack Chain
- An authenticated administrator gains access to the MantisBT web UI or REST API.
- The administrator navigates to the configuration settings or crafts a malicious REST API request to modify system parameters.
- The administrator injects malicious SQL payload (e.g., for data exfiltration or
INTO OUTFILEfor webshell creation) into thehistory_orderconfiguration value. - The MantisBT application stores this unsanitized malicious SQL string in its database as the
history_orderconfiguration value. - Any authenticated user subsequently views a bug within MantisBT that has history entries.
- When displaying the bug history, the vulnerable
core/history_api.phpconcatenates the stored malicioushistory_ordervalue directly into a SQLORDER BYclause. - The database executes the crafted SQL query, leading to actions such as sensitive data extraction (e.g., credentials, API tokens, private issue data) from the bugtracker database.
- If the MySQL server has the
FILEprivilege, the injected SQL can write a PHP webshell to the web root, achieving Remote Code Execution for the attacker.
Impact
The successful exploitation of CVE-2026-47142 poses a critical risk to the confidentiality and integrity of MantisBT instances. Attackers can extract highly sensitive information, including all user credentials (e.g., cookie_string, password hashes), API tokens, and confidential issue data from the entire bugtracker database. Furthermore, if the underlying MySQL server is configured with the FILE privilege, the vulnerability can be leveraged to achieve full Remote Code Execution (RCE) on the server by writing a PHP webshell to the web root, giving attackers persistent access and control over the compromised system. While specific victim counts are not available, all MantisBT instances running versions 2.28.3 or earlier are at risk.
Recommendation
- Patch MantisBT installations immediately to a version beyond 2.28.3, applying the fixes referenced in the GitHub advisory.
- Deploy the provided Sigma rule to your SIEM to detect attempts at injecting
INTO OUTFILEvia thehistory_orderconfiguration. - Review web server access logs for requests to
adm_config_set.phporPATCH /api/rest/configcontaining suspicious SQL keywords, especiallyINTO OUTFILEwithin parameters. - Restrict the MySQL
FILEprivilege to mitigate the impact of SQL injection leading to RCE if not strictly necessary for application functionality.
Detection coverage 1
Detects CVE-2026-47142 Exploitation - MantisBT history_order SQLi via INTO OUTFILE
highDetects attempts to exploit CVE-2026-47142 by injecting 'INTO OUTFILE' into the MantisBT history_order configuration via the web UI or REST API, aiming for Remote Code Execution.
Detection queries are available on the platform. Get full rules →