PT-2026-60393 · Packagist · Mantisbt/Mantisbt
CVE-2026-62944
·
Published
2026-07-15
·
Updated
2026-07-15
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
A missing output encoding call in print all bug page word.php allows any authenticated user to inject arbitrary HTML into an IMG tag's alt attribute via an image attachment with a crafted filename such as
probe." onload="alert(1).When any user views the HTML export page (print all bug page word.php?type page=html&export=1), the rendered IMG tag becomes
<img src="..." alt="" onload="alert(1)" />, breaking out of the alt attribute.Impact
Cross-site scripting.
Impact is limited by MantisBT's Content Security Policy.
Patches
Workarounds
None
Resources
Credits
MantisBT thanks the Dracosec Research Limited team (Chris Chan, Krecendo Hui, William Lam) for discovering and responsibly reporting the issue.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mantisbt/Mantisbt