Skip to main content

MantisBT CVE-2026-34463

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 https://github.com/mantisbt/mantisbt GHSA-fvjf-68wh-rwp2
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 19, 2026 - 22:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 19, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
May 19, 2026 - 22:22 NVD
8.6 (HIGH)
Source Code Evidence Fetched
May 11, 2026 - 20:00 vuln.today
Analysis Generated
May 11, 2026 - 20:00 vuln.today
CVE Published
May 11, 2026 - 19:32 nvd
HIGH

DescriptionGitHub Advisory

When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires *manager* or *administrator* access level).

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

Patches

  • df22697ae497ddd93f3d9132fdf4979db8d081cd

Workarounds

Make sure Project names do not contain any HTML tags.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

The vulnerability was also identified and independently reported by @siunam321 (Tang Cheuk Hei), prior to this Advisory's publication.

AnalysisAI

Stored HTML injection and cross-site scripting in MantisBT versions 2.28.1 and earlier allows a privileged user (manager or administrator) to inject HTML through a Project's name field, which is later rendered unescaped on the issue clone form (bug_report_page.php) when cloning issues across projects. The flaw is mitigated by MantisBT's default Content Security Policy, which blocks inline script execution, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high confidentiality, integrity, and availability impacts on the vulnerable component despite requiring high privileges.

Technical ContextAI

MantisBT is a widely deployed open-source PHP-based bug tracking system, distributed via Composer as mantisbt/mantisbt. The vulnerability sits in bug_report_page.php, which renders the source Project's name as a prefix label next to the category selector when cloning an issue between projects. The patched commit (df22697) shows the fix wraps the project_get_field() output in string_html_specialchars(), the standard MantisBT helper for HTML entity encoding. Root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS pattern where attacker-controlled data is persisted in the Projects table and later concatenated into HTML output without escaping.

RemediationAI

Vendor-released patch: upgrade to MantisBT 2.28.2 or later, which applies commit df22697ae497ddd93f3d9132fdf4979db8d081cd to escape the project name via string_html_specialchars() in bug_report_page.php (see https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2). Where immediate upgrade is not feasible, the vendor-recommended workaround is to audit existing Project names and ensure none contain HTML tags or angle brackets, then enforce that policy operationally going forward; the trade-off is that this relies on continued vigilance and does not prevent future abuse by a privileged user. Keeping the default Content Security Policy enabled materially limits script execution and should not be relaxed; additionally, restrict the set of accounts that hold manager or administrator privileges to the minimum necessary, since project name editing is gated on those roles.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-34463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy