Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).
Published: 2026-05-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when MantisBT fails to escape the owner field of a saved filter. If the global setting to display real user names is enabled, an attacker with Manager or higher privileges can inject arbitrary HTML or JavaScript into that field. The input is rendered in any page that lists the filter, allowing the attacker to execute script in the browsers of other users who view the filter. This flaw can be used to perform phishing attacks, session hijacking, or arbitrary data exfiltration from the victim’s session. The weakness is a classic Stored XSS (CWE‑79).

Affected Systems

The defect affects Mantis Bug Tracker versions 2.11.0 through 2.28.1. These releases are distributed under the MIT license and are available from the official project repository. The issue is fixed in 2.28.2 and later releases. The problem is only exploitable when the configuration setting $g_show_user_realname is set to ON and when a user with Manager or higher access level saves their filter publicly; publicly stored filters are visible to all users.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, and the absence of an EPSS score makes it unclear how frequently attacks occur, but the vulnerability is present in a wide range of publicly accessible installations. It is not listed in CISA’s KEV catalog, suggesting no known large‑scale exploitation. Attackers would need to compromise a user account with Manager privileges to create a malicious filter; however, the stored payload would then affect all users that view the filter, enabling mass‑impact XSS. The risk is primarily confined to the web interface and requires that the application be deployed with the real‑name display enabled.

Generated by OpenCVE AI on May 22, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MantisBT 2.28.2 or later, where the stored‑filter owner field is properly escaped.
  • If an upgrade is not possible, configure $g_show_user_realname = OFF to stop rendering real names, disabling the injection vector.
  • Disable the ability to create or share stored queries by setting $g_stored_query_create_threshold and $g_stored_query_create_shared_threshold to NOBODY.

Generated by OpenCVE AI on May 22, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f633-865q-2mhh MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column
History

Fri, 22 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Fri, 22 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).
Title MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T19:39:13.817Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40607

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T21:30:16Z

Weaknesses