Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.
Published: 2026-05-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mantis Bug Tracker allows a manager or administrator to set a project name that contains unescaped HTML. When that project name is displayed on the Move Attachments admin page, the markup is injected and stored as part of the page. The stored XSS can then execute arbitrary JavaScript in the context of any user who visits the page, potentially stealing session cookies or performing actions on behalf of the user.

Affected Systems

The vulnerability affects MantisBT versions 1.3.0 through 2.28.1 inclusive. A fix was applied in version 2.28.2.

Risk and Exploitability

The CVSS score of 8.6 classifies this flaw as High severity. EPSS data is not available and the CVE is not listed in the CISA KEV catalog. Exploitation requires that the attacker already possess manager or administrator privileges, meaning the threat primarily applies to internal users with elevated rights. Within that constrained scope, an attacker can compromise user sessions or disrupt functionality, but remote unauthenticated exploitation is not possible.

Generated by OpenCVE AI on May 28, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.2 or later, which removes the unescaped project name rendering on the Move Attachments page.
  • If an upgrade cannot be performed immediately, sanitize or restrict project names to remove any HTML or script content, and enforce server‑side input validation.
  • As a temporary measure, limit access to the Move Attachments admin interface to trusted administrators or disable the feature until the patch is applied.

Generated by OpenCVE AI on May 28, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7mqj-8gj2-cg59 MantisBT has Stored XSS on Move Attachments Admin Page
History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.
Title MantisBT: Stored XSS on Move Attachments Admin Page
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:12:11.191Z

Reserved: 2026-05-07T15:30:10.876Z

Link: CVE-2026-44655

cve-icon Vulnrichment

Updated: 2026-05-29T19:12:03.712Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T21:16:30.900

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-44655

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T21:30:26Z

Weaknesses