PT-2026-39899 · Git+2 · Mantisbt+1

Published

2026-05-11

·

Updated

2026-05-28

·

CVE-2026-44655

CVSS v4.0

8.6

High

VectorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker (MantisBT) versions 1.3.0 through 2.28.1
Description An issue exists where an unescaped Project Name allows an attacker with manager or administrator access levels to inject HTML into the Move Attachments admin page. This leads to Cross-site scripting (XSS), a technique where malicious scripts are injected into trusted websites. The impact is mitigated by a Content Security Policy, which restricts the execution of scripts.
Recommendations Update to version 2.28.2.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44655
GHSA-7MQJ-8GJ2-CG59

Affected Products

Mantisbt
Mantisbt/Mantisbt