CVE-2026-34463

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker (MantisBT) versions prior to 2.28.2

Description A Stored Cross-Site Scripting (XSS) issue exists when cloning an issue from a project other than the current one. The clone form 'bug report page.php' prepends the source project name before the category selector without proper escaping. This allows an attacker with manager or administrator privileges to inject HTML by modifying the project name. Content Security Policy (CSP), a security layer that helps detect and mitigate certain types of attacks including XSS, restricts script execution in this case.

Recommendations Update to version 2.28.2. Ensure project names do not contain any HTML tags.