MantisBT CVE-2026-34463
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires *manager* or *administrator* access level).
Impact
Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.
Patches
- df22697ae497ddd93f3d9132fdf4979db8d081cd
Workarounds
Make sure Project names do not contain any HTML tags.
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
The vulnerability was also identified and independently reported by @siunam321 (Tang Cheuk Hei), prior to this Advisory's publication.
AnalysisAI
Stored HTML injection and cross-site scripting in MantisBT versions 2.28.1 and earlier allows a privileged user (manager or administrator) to inject HTML through a Project's name field, which is later rendered unescaped on the issue clone form (bug_report_page.php) when cloning issues across projects. The flaw is mitigated by MantisBT's default Content Security Policy, which blocks inline script execution, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.6 reflects high confidentiality, integrity, and availability impacts on the vulnerable component despite requiring high privileges.
Technical ContextAI
MantisBT is a widely deployed open-source PHP-based bug tracking system, distributed via Composer as mantisbt/mantisbt. The vulnerability sits in bug_report_page.php, which renders the source Project's name as a prefix label next to the category selector when cloning an issue between projects. The patched commit (df22697) shows the fix wraps the project_get_field() output in string_html_specialchars(), the standard MantisBT helper for HTML entity encoding. Root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a stored XSS pattern where attacker-controlled data is persisted in the Projects table and later concatenated into HTML output without escaping.
RemediationAI
Vendor-released patch: upgrade to MantisBT 2.28.2 or later, which applies commit df22697ae497ddd93f3d9132fdf4979db8d081cd to escape the project name via string_html_specialchars() in bug_report_page.php (see https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2). Where immediate upgrade is not feasible, the vendor-recommended workaround is to audit existing Project names and ensure none contain HTML tags or angle brackets, then enforce that policy operationally going forward; the trade-off is that this relies on continued vigilance and does not prevent future abuse by a privileged user. Keeping the default Content Security Policy enabled materially limits script execution and should not be relaxed; additionally, restrict the set of accounts that hold manager or administrator privileges to the minimum necessary, since project name editing is gated on those roles.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-fvjf-68wh-rwp2