PT-2026-39899 · Git+2 · Mantisbt+1
Published
2026-05-11
·
Updated
2026-05-28
·
CVE-2026-44655
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Mantis Bug Tracker (MantisBT) versions 1.3.0 through 2.28.1
Description
An issue exists where an unescaped Project Name allows an attacker with manager or administrator access levels to inject HTML into the Move Attachments admin page. This leads to Cross-site scripting (XSS), a technique where malicious scripts are injected into trusted websites. The impact is mitigated by a Content Security Policy, which restricts the execution of scripts.
Recommendations
Update to version 2.28.2.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mantisbt
Mantisbt/Mantisbt