Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2.
Published: 2026-05-19
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mantis Bug Tracker contains a stored Cross‑Site Scripting flaw that is triggered when an issue is cloned from a project different than the current one. The clone form shows the source project’s name before the category selector, but the name is inserted without escaping. An attacker who can modify a project’s name—normally a manager or administrator—can inject arbitrary HTML or JavaScript. When the cloned issue is later viewed by other users the injected code executes in their browsers, enabling session hijacking, credential theft, or defacement of the web interface and thereby compromising confidentiality and integrity for all affected users.

Affected Systems

The vulnerability affects the Mantis Bug Tracker (mantisbt) software versions 2.28.1 and earlier. The flaw was fixed in version 2.28.2 and later releases.

Risk and Exploitability

The assigned CVSS score of 8.6 classifies this flaw as high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported. Exploitation requires privileged access to alter a project name, after which an internal attacker can clone an issue and trigger the stored XSS. Because the flaw is active in a commonly used open‑source product, environments that deploy vulnerable versions should treat this as a significant risk.

Generated by OpenCVE AI on May 19, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mantis Bug Tracker to version 2.28.2 or newer to eliminate the stored XSS flaw.
  • Restrict the ability to modify project names to trusted administrators only to limit the potential for malicious input.
  • Implement proper output encoding for project names and enforce a content‑security policy to mitigate any residual XSS risk.

Generated by OpenCVE AI on May 19, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fvjf-68wh-rwp2 MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form
History

Tue, 19 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Tue, 19 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2.
Title MantisBT has Stored HTML Injection/XSS via Clone Issue Form
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-19T21:57:49.015Z

Reserved: 2026-03-27T18:18:14.896Z

Link: CVE-2026-34463

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T22:16:37.980

Modified: 2026-05-19T22:16:37.980

Link: CVE-2026-34463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T00:00:16Z

Weaknesses