MantisBT - Issues

0023689: UI Layout improvement

Mon, 15 Jun 2026 06:00:41 -0400

I like the new layout and general appearance of the new UI, to facilitate the use of the mantis I suggest that the top button bar always be visible at the top of the page as attached image.

Related to 0022253

0037255: new AudioNotes Plugin for MantisBT

Mon, 15 Jun 2026 05:59:36 -0400

A lightweight and native audio recording plugin for MantisBT. It allows users to record voice notes directly in the browser and attach them to comments (bugnotes) or bug reports.

Key Features

* Native Browser Recording: Powered by the HTML5 MediaRecorder API. No third-party plugins, Flash, or external dependencies required.
* Format Compatibility: Automatically detects and selects the best supported container and codec for the active browser (audio/mp4 on Safari/iOS, audio/webm on Chrome/Firefox, audio/ogg, or audio/wav).
* Live Waveform Visualizer: Renders a real-time voice frequency visualizer using the HTML5

0037254: markdown icons

Mon, 15 Jun 2026 05:54:22 -0400

some markdown icons dont show in mantis.

sample:
## � red

## �️ tools icon

## ✅ green check

0020431: Use utf8mb4 charset for new MySQL installations

Mon, 15 Jun 2026 05:54:21 -0400

We currently create the database with 'utf8' charset and 'general_ci' collation.

In MySQL, utf8 charset uses up to 3 bytes, which means some characters can't be stored properly. Since MySQL 5.5.3 the 'utf8mb4' charset is available, and does not have this limitation.

We should use utf8mb4 for new installation.

In addition, we default to 'general' collation which sometimes yield incorrect sort order for special (multibyte) characters. See MySQL documentation [1] for examples and more explanation.

[1] http://dev.mysql.com/doc/refman/5.7/en/charset-unicode-sets.html

0036862: Add possibility to add robots.txt

Sat, 13 Jun 2026 15:51:38 -0400

It would be great if there is a supported way to provide robots.txt file to Mantis.

I recently came to my Mantis instance seeing a lot of GPTBot requests and I thought I could just filter them out with robots.txt... only to figure out there is not built-in way to do so...

0037252: Erro ao cadastrar funcionario

Thu, 11 Jun 2026 19:07:00 -0400

FGFgfgfgfgf

0037250: The news_list_page.php page does not display news for “All Projects”

Thu, 11 Jun 2026 07:57:58 -0400

This is a regression in commit [b78f966](https://github.com/mantisbt/mantisbt/commit/b78f966e013d494ea27d92bba39d797a1266b7b7#diff-2967656ba78fdcf995e0491d97c1302676015a24570466f137e69fec3faae739R215) in 2014:
```
$t_query .= ' WHERE project_id=\'$c_project_id\'';
```

0024575: APPLICATION ERROR #2800 - Disk space = 0

Mon, 08 Jun 2026 02:05:45 -0400

In version 2.7.0 i'm get alltime the App Error #2800 when closing issues, in all machines.
server (linux ubuntu 64bit - PHP 7)
searching in other issues i found that was related to cookies, cleaned cookies and don't solve.

Checking i found that disk was full, so after clean disk, all normalized.

I remember in older versions there was a explicit error message like "disk full", can this message come back?
better if mantis show warning if disk space is low...

0037235: Open Redirect with `return` parameter in login_page.php

Thu, 04 Jun 2026 09:08:52 -0400

This finding is a bypass of the fix for CVE-2017-7620, which addressed mixed-slash URLs (`\/evil.com`) by converting backslashes to `%5C`. The protocol-relative shape (`//evil.com`) was not covered by that fix.

# Details
Incomplete URL sanitization in `string_sanitize_url()` (`core/string_api.php`, lines 265-332) allows an attacker to craft a login page URL with a protocol-relative redirect target (e.g., `//evil.example.com/`) in the `return` parameter. The sanitizer's rejection regex (`(?:[^:]*)?:/*`) requires a `:` character to identify off-site URLs, so protocol-relative URLs (which contain no scheme or colon) pass through unmodified. When an already-authenticated user visits `login_page.php?return=%2F%2Fevil.example.com%2F`, they are silently redirected to the attacker-controlled host.

The `login_page.php` caller (line 89) passes the sanitized return value to `print_header_redirect()` with `$p_sanitize=false` and `$p_absolute=true`, which emits it directly as a `Location` header without further validation. By contrast, other callers of `print_header_redirect` elsewhere in the code (e.g., `account_prefs_reset.php`, line 91) pass `$p_sanitize=true`, which triggers a second sanitization pass that prepends the MantisBT host prefix (neutralizing any redirect). The login pages do not use this safer pattern, leaving them exposed.

# Impact
An attacker distributes a link to the legitimate MantisBT login page with a crafted `return` parameter, after the victim logs in (or if already logged in), the victim's browser navigates to the URL (without specifying scheme e.g.: `https:`) set in the `return` parameter.

0037237: Printing an issue having notes without text triggers PHP error

Wed, 03 Jun 2026 12:02:50 -0400

When executing print_all_bug_page_word.php to print an Issue that has bugnotes without text (i.e. bugnote.note = null), a PHP error is triggered:

INTERNAL APPLICATION ERROR

MantisMarkdown::convert(): Argument 1 ($p_string) must be of type string, null given, called in.../mantisbt/plugins/MantisCoreFormatting/MantisCoreFormatting.php on line 195

Stack trace
```
# Filename Line Class Type Function Args
0 .../mantisbt/plugins/MantisCoreFormatting/MantisCoreFormatting.php 195 MantisMarkdown -> convert -
1 .../mantisbt/core/event_api.php 214 MantisCoreFormattingPlugin -> formatted -
2 .../mantisbt/core/event_api.php 310 - - event_callback -
3 .../mantisbt/core/event_api.php 183 - - event_type_chain -
4 .../mantisbt/core/string_api.php 166 - - event_signal -
5 .../mantisbt/print_all_bug_page_word.php 531 - - string_display_links
```

0037133: The buttons on the “Access Denied” widget may contain incorrect links

Wed, 03 Jun 2026 11:19:38 -0400

For example, the “/admin/login_page.php?return=admin%2Findex.php” is converted to “admin/login_page.php?return=admin%2Findex.php” for "Login" button.

0035629: New Menu API

Tue, 02 Jun 2026 14:05:10 -0400

I think it is necessary to separate the code that collects links to form the main side menu into a separate API file. Now the `layout_api.php` file is quite large and contains more than 1300 lines. Of these, 250 lines are not used to print the actual layout of the page, but instead form a list of menu items.

Also, a new API is needed for correct generation of the sitemap ( 0035523 ).

0037227: Remove code specific to PHP safe_mode

Mon, 01 Jun 2026 20:05:06 -0400

Safe mode has been removed from PHP in 5.4.
We require PHP 5.5 since 2.7.0 (0023378).

Identified occurrences:
- check in install.php
- 3 calls to set_time_limit() with `@` operator (see 0004555, 0008830)
- helper_begin_long_process()
- admin/upgrade_unattended.php

0037221: Login button not working on mobile Page crashes on submit User cannot reset password

Mon, 01 Jun 2026 08:04:02 -0400

0037182: A way to see all users without any activity

Mon, 01 Jun 2026 05:07:28 -0400

Hi,

On the Users page (https://bugs.xdebug.org/manage_user_page.php), it is possible to see all users that never logged in (Unused), or are New. I would like there to be a additional tab for users that never had any activity (no bugs, notes, attachments, or monitored issues).

I have created a patch for that, which I have attached. It's my first one, so please be kind. I also don't know if I missed any other possible activities, but these can be easily added.

If this seems suitable, I can also provide some translations.

cheers,
Derick

0037075: SOAP Issue Update Implicitly Reassigns Reporter To The Caller When reporter Is Omitted

Sun, 31 May 2026 20:10:05 -0400

mc_issue_update() defaults $t_reporter_id to the authenticated SOAP caller
when the submitted issue object does not contain a reporter field:

```php
$t_reporter_id = isset( $p_issue['reporter'] ) ? mci_get_user_id( $p_issue['reporter'] ) : $t_user_id;
```

As a result, a normal SOAP update that omits reporter silently rewrites the
issue reporter to the current user.

0037219: Security: Add allowed_classes => false to unserialize() calls to prevent PHP Object Injection

Sun, 31 May 2026 19:32:44 -0400

The following functions call unserialize() without specifying allowed_classes:

- filter_api.php (filter deserialization from session/database)
- email_queue_api.php (email queue deserialization)
- safe_unserialize() helper

This leaves them potentially vulnerable to PHP Object Injection (POI) via gadget
chains using classes already loaded in memory, even when the data source appears
trusted.

Fix: Add ['allowed_classes' => false] as a defence-in-depth hardening measure.
The deserialized data in these locations is always a plain array of scalar values —
no object instantiation is expected — so this change does not affect functionality.

GitHub PR with the fix: https://github.com/mantisbt/mantisbt/pull/2229

0037134: The "Jump to bug" form should accept bug_id with leading `#`

Sun, 31 May 2026 17:16:48 -0400

Currently, the form only accepts integer values, causing an error to be thrown f the user enters `#1234` in the search field, which sometimes happen when copy/pasting e.g from a Git commit message.

As a convenience, we should also allow integers prefixed by the configured tag ($g_bug_link_tag, `#` by default).

0019370: Retire 'user_print_pref' table and related code

Fri, 29 May 2026 20:42:06 -0400

Seems like a table that was used to select columns to show in print page. We now have a different model for customizing columns across all features.

0037110: New translation: serbo-croatian (latin)

Thu, 28 May 2026 12:26:43 -0400

A new language file has been committed by TranslateWiki.net on on Nov 3, 2025 (see :mantisbt:b5803c2d264bec9ad8d5630ff36d9ed140506338:)

Problem: the language file does not follow our naming convention.
* Current: `strings_sh-latn.txt‎`
* Expected: `strings_serbo-croatian_latin.txt‎` (or something similar).

The problem has been reported upstream:
https://translatewiki.net/wiki/Support#MantisBT_new_language_'sh-latn'

Once fixed, it should be added to *$g_language_choices_arr*.

0032861: Implement IssueUpdateCommand

Mon, 25 May 2026 11:54:48 -0400

Implement IssueUpdateCommand and use it from the appropriate places in the code.

There are discrepancies between issue updates from the GUI vs the API, as bug_udpate.php has not been kept in sync with mc_issue_update(). One confirmed case is the latter does not check for child relationships when resolving an issue (see https://github.com/mantisbt/mantisbt/pull/1906#issuecomment-1693602387).

0037144: Optional plugin dependencies are not displayed

Mon, 25 May 2026 11:54:46 -0400

The `manage_plugin_page.php` page does not display information about optional plugin dependencies.
Having complete information about plugins would be useful for administrators, particularly when a new dependency appears in an updated version of a plugin.

0037180: dsng장애

Sun, 24 May 2026 03:46:40 -0400

0037146: Difficult to use the Mantis Graph plugin from within other plugins

Thu, 21 May 2026 12:56:12 -0400

The Mantis Graph plugin offers a variety of useful features for displaying charts in a simple way. This encourages developers of other plugins to take advantage of this free functionality and add Mantis Graph as one of their dependencies.

However, developers have to manually include the `MantisGraph.js` file in their code because the Mantis Graph plugin does not provide an easy way to load it automatically, despite the file being included in the plugin.

0036874: Support CDN in require_js and require_css functions

Thu, 21 May 2026 12:54:38 -0400

MantisBT has `require_js()` and `require_css()` functions designed to generate lists of external scripts and styles for subsequent inclusion in the HTML document header when it is output. However, these functions only support local links. Support for CDN links will allow to conveniently include headers directly on the pages where specific scripts and styles are needed. If this proposal is implemented, it will be possible to optimize pages with dropzone.js and bootstrap-datetimepicker.js scripts, as well as Viz.js.