Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.
Published: 2026-05-20
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mantis Bug Tracker (MantisBT) contains a stored cross‑site scripting flaw triggered by textarea custom fields on the bug edit page. Improper escaping of user‑supplied content allows an attacker to inject arbitrary HTML and, if the page's Content‑Security‑Policy permits, execute JavaScript upon rendering. This can facilitate session hijacking, enabling a compromised user to impersonate administrators and gain full project‑level data access. The weakness corresponds to CWE‑79, involving unsanitized output.

Affected Systems

Both the 2.28.1 release and any older version of MantisBT are affected. The flaw was resolved in 2.28.2, so any deployment running 2.28.2 or newer is immune. For environments that cannot promptly upgrade, the vendor recommends applying the default CSP, which blocks script execution and mitigates the exploitation risk.

Risk and Exploitability

The CVSS base score is 5.4, indicating a medium severity, and EPSS not available; KEV not listed in KEV. To exploit the mishandling, an attacker must first be authenticated with bug‑reporting rights within the target project and then insert malicious payloads into a textarea‑type custom field. Once a victim views the vulnerable edit form, the injected script can run, leading to credential theft or further compromise. Because the attack vector resides inside the web application, a compromised or high‑privilege account within the project can be used to trigger the payload, making the issue especially dangerous for users with low‑privilege bug‑reporting permissions.

Generated by OpenCVE AI on May 20, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.2 or later to apply the official fix
  • If an upgrade is not immediately possible, enforce a strict Content‑Security‑Policy that blocks script execution for the application
  • Restrict or remove the ability for users with bug‑reporting permissions to configure textarea‑type custom fields, thereby eliminating the attack surface
  • Enable logging and monitoring of page views and custom‑field modifications to detect potential exploitation attempts
  • Regularly review and patch any other unpatched components of the MantisBT environment

Generated by OpenCVE AI on May 20, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qj6w-v29q-4rgx MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values
History

Wed, 20 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Wed, 20 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.
Title MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T21:11:02.341Z

Reserved: 2026-04-07T22:40:33.822Z

Link: CVE-2026-39960

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T22:16:36.563

Modified: 2026-05-20T22:16:36.563

Link: CVE-2026-39960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T23:00:15Z

Weaknesses