Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored XSS flaw exists in MantisBT before version 2.28.2. By uploading a specially crafted XHTML file that references a JavaScript attachment and later downloading it with the show_inline=1 parameter and a valid CSRF token, an attacker can cause the victim’s browser to execute arbitrary JavaScript. This can lead to credential theft, session hijacking, or malicious code execution in the context of the victim’s browser session.

Affected Systems

The vulnerability affects the open‑source MantisBT issue‑tracking application, specifically any installation of the bug tracker with a version earlier than 2.28.2. No other vendors are listed; MantisBT is the sole affected product.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of the flaw, while the EPSS score is not available and the vulnerability is not recorded in the CISA KEV catalog. The likely attack vector is through the web interface, with exploitability requiring the attacker to upload a malicious attachment and a victim to download it with the show_inline flag set. Successful exploitation would allow the attacker to execute arbitrary JavaScript in the victim’s browser, compromising data confidentiality and integrity on the client side.

Generated by OpenCVE AI on May 28, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.2 or later
  • Disable or remove the show_inline parameter if it is not required for business processes
  • Configure the system to reject or sanitize XML/HTML attachments until a patch is applied

Generated by OpenCVE AI on May 28, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p6fr-rxq7-xcg8 MantisBT Vulnerable to Stored XSS in File Download
History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.
Title MantisBT: Stored XSS in File Download
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T14:50:03.745Z

Reserved: 2026-05-07T16:20:08.658Z

Link: CVE-2026-44657

cve-icon Vulnrichment

Updated: 2026-05-29T14:49:56.539Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T21:16:31.053

Modified: 2026-05-29T15:11:03.853

Link: CVE-2026-44657

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T22:30:27Z

Weaknesses