Skip to main content

MantisBT CVE-2026-52847

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 https://github.com/mantisbt/mantisbt GHSA-77x8-3v3h-hrhv
Share

Severity by source

vuln.today AI
6.1 MEDIUM

Network-reachable unauthenticated reflected XSS needing victim interaction (UI:R) with a scope change into the admin origin; CSP limits impact to low confidentiality/integrity, no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 18:47 vuln.today
Analysis Generated
Jul 15, 2026 - 18:47 vuln.today
CVE Published
Jul 15, 2026 - 18:25 cve.org
CRITICAL

DescriptionCVE.org

MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via print_test_result(). No authentication is required.

A Content Security Policy (script-src 'self') prevents inline JavaScript execution, but the CSP is missing a form-action directive, allowing exploitation via credential-phishing form injection and <meta> open redirects.

Impact

  • Credential phishing: Attacker crafts a URL that renders a fake login form on the real MantisBT admin page. Admin credentials are submitted to an attacker-controlled server.
  • Open redirect: Victim is silently redirected to a phishing or malware site.
  • UI manipulation: CSS injection can hide legitimate page content and overlay attacker-controlled HTML, enabling social engineering.

Patches

  • https://github.com/mantisbt/mantisbt/commit/0f32ceabadc745239754962df91a51d5d51e3fd7
  • https://github.com/mantisbt/mantisbt/commit/f2191a0d8ce438bf74171d496cf721dae025a5c0

Workarounds

Remove the /admin directory, as recommended in the Admin Guide

Resources

Credits

McCaulay Hudson (@_McCaulay) of watchTowr

AnalysisAI

Reflected cross-site scripting in MantisBT's /admin/install.php (versions 2.28.3 and earlier) lets remote attackers inject HTML through six unescaped, user-supplied parameters echoed by print_test_result(). Although the page's Content-Security-Policy (script-src 'self') blocks inline JavaScript, the missing form-action directive permits credential-phishing form injection, <meta>-based open redirects, and CSS overlay attacks against the trusted admin origin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious /admin/install.php URL
Delivery
Lure admin to open link
Exploit
Reflected parameter injects fake form/overlay
Execution
Admin submits credentials to attacker server
Impact
Attacker harvests admin credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires that the MantisBT installer at /admin/install.php remains present and network-reachable - the primary limiting factor, since the vendor advises removing the /admin directory after setup, so hardened deployments are not exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was supplied by the source (CVSS: N/A), so severity signals must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a target's exposed /admin/install.php that injects a fake login form and CSS overlay into one of the six reflected parameters, then lures an administrator to click it (e.g., via email). Because the markup renders on the genuine MantisBT admin origin, the admin trusts the fake form and submits credentials, which post to an attacker-controlled server; alternatively an injected <meta> refresh silently redirects the victim to a malware page. …
Remediation Vendor-released patch: upgrade to MantisBT 2.28.4, which applies output encoding via string_html_specialchars() in print_test_result() (commits 0f32ceabadc745239754962df91a51d5d51e3fd7 and f2191a0d8ce438bf74171d496cf721dae025a5c0). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all MantisBT deployments in your environment and confirm which versions are running; prioritize those with versions 2.28.3 and earlier where the installation page (/admin/install.php) is accessible over the network. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-52847 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy