Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2.
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected XSS in Mantis Bug Tracker caused by a missing validation on the filter_target parameter used in return_dynamic_filters.php. Attackers can inject arbitrary HTML when the target field is a custom TEXTAREA. The injected code can execute in the context of the affected user’s browser, enabling cross‑site scripting. This can lead to session hijacking, credential theft, or defacement. The weakness is identified as CWE‑79.

Affected Systems

MantisBT 1.0.0 through 2.28.1 versions are vulnerable. The issue is resolved in 2.28.2. Any installation running an affected version with the custom textarea functionality enabled is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; EPSS data is unavailable and the vulnerability is not listed in KEV. The likely attack vector is via a crafted AJAX request from the View Issues page, which the attacker can trigger by luring a user to a malicious link or embedding the payload in shared issue data. Exploitation requires the victim to visit a page that triggers return_dynamic_filters.php with the injected filter_target value. Because the attack is reflected, it does not require enumeration of existing vulnerabilities, making it relatively straightforward to trigger if an attacker can attract targeted users.

Generated by OpenCVE AI on May 28, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MantisBT installation to version 2.28.2 or later to apply the vendor patch.
  • If an upgrade is not immediately possible, remove or disable the custom TEXTAREA fields that can be targeted, or configure the system to not expose the filter_target parameter to unauthenticated requests.
  • Apply strict input validation on the server side for the filter_target parameter to ensure only allowed values are accepted, mitigating injection attempts.

Generated by OpenCVE AI on May 28, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j7v9-f46r-2rp4 MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field
History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2.
Title MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:15:20.499Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41897

cve-icon Vulnrichment

Updated: 2026-05-30T02:15:16.662Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T21:16:29.640

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-41897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:30:26Z

Weaknesses