MantisBT CVE-2026-52847
CRITICALSeverity by source
Network-reachable unauthenticated reflected XSS needing victim interaction (UI:R) with a scope change into the admin origin; CSP limits impact to low confidentiality/integrity, no availability effect.
Lifecycle Timeline
3DescriptionCVE.org
MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via print_test_result(). No authentication is required.
A Content Security Policy (script-src 'self') prevents inline JavaScript execution, but the CSP is missing a form-action directive, allowing exploitation via credential-phishing form injection and <meta> open redirects.
Impact
- Credential phishing: Attacker crafts a URL that renders a fake login form on the real MantisBT admin page. Admin credentials are submitted to an attacker-controlled server.
- Open redirect: Victim is silently redirected to a phishing or malware site.
- UI manipulation: CSS injection can hide legitimate page content and overlay attacker-controlled HTML, enabling social engineering.
Patches
- https://github.com/mantisbt/mantisbt/commit/0f32ceabadc745239754962df91a51d5d51e3fd7
- https://github.com/mantisbt/mantisbt/commit/f2191a0d8ce438bf74171d496cf721dae025a5c0
Workarounds
Remove the /admin directory, as recommended in the Admin Guide
Resources
- https://mantisbt.org/bugs/view.php?id=37103
- related advisory GHSA-vcrw-4xvv-jh49
Credits
McCaulay Hudson (@_McCaulay) of watchTowr
Articles & Coverage 1
AnalysisAI
Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the MantisBT installer at /admin/install.php remains present and network-reachable - the primary limiting factor, since the vendor advises removing the /admin directory after setup, so hardened deployments are not exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was supplied by the source (CVSS: N/A), so severity signals must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a target's exposed /admin/install.php that injects a fake login form and CSS overlay into one of the six reflected parameters, then lures an administrator to click it (e.g., via email). Because the markup renders on the genuine MantisBT admin origin, the admin trusts the fake form and submits credentials, which post to an attacker-controlled server; alternatively an injected <meta> refresh silently redirects the victim to a malware page. … |
| Remediation | Vendor-released patch: upgrade to MantisBT 2.28.4, which applies output encoding via string_html_specialchars() in print_test_result() (commits 0f32ceabadc745239754962df91a51d5d51e3fd7 and f2191a0d8ce438bf74171d496cf721dae025a5c0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all MantisBT deployments in your environment and confirm which versions are running; prioritize those with versions 2.28.3 and earlier where the installation page (/admin/install.php) is accessible over the network. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-77x8-3v3h-hrhv