PT-2026-39889 · Mantisbt · Mantisbt
Published
2026-05-11
·
Updated
2026-05-28
·
CVE-2026-41897
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
MantisBT (affected versions not specified)
Description
Lack of validation of the
filter target parameter in the 'return dynamic filters.php' endpoint allows an attacker to inject arbitrary HTML when the target is a TEXTAREA custom field, leading to reflected Cross-site scripting (XSS), which is a technique where malicious scripts are injected into otherwise trusted websites.Recommendations
Apply patch c885af13f0b8596714ffe11df757c09f35fbd8f4.
Avoid using the
filter target parameter in the 'return dynamic filters.php' endpoint until the patch is applied.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mantisbt