PT-2026-60393 · Packagist · Mantisbt/Mantisbt

CVE-2026-62944

·

Published

2026-07-15

·

Updated

2026-07-15

CVSS v4.0

8.6

High

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
A missing output encoding call in print all bug page word.php allows any authenticated user to inject arbitrary HTML into an IMG tag's alt attribute via an image attachment with a crafted filename such as probe." onload="alert(1).
When any user views the HTML export page (print all bug page word.php?type page=html&export=1), the rendered IMG tag becomes <img src="..." alt="" onload="alert(1)" />, breaking out of the alt attribute.

Impact

Cross-site scripting.
Impact is limited by MantisBT's Content Security Policy.

Patches

Workarounds

None

Resources

Credits

MantisBT thanks the Dracosec Research Limited team (Chris Chan, Krecendo Hui, William Lam) for discovering and responsibly reporting the issue.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-62944
GHSA-H2WF-967X-GXVW

Affected Products

Mantisbt/Mantisbt