MantisBT CVE-2026-52881
CRITICALSeverity by source
Network-reachable unauthenticated installer reflection requires the victim admin to click a link and submit a form (UI:R), crosses into the browser context (S:C), and CSP caps impact to limited phishing/redirect (C:L/I:L, A:N).
Lifecycle Timeline
3DescriptionCVE.org
MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via an unescaped printf format string. No authentication is required.
A Content Security Policy (script-src 'self') prevents inline JavaScript execution, but the CSP is missing a form-action directive, allowing exploitation via credential-phishing form injection and <meta> open redirects.
Impact
- Credential phishing: Attacker crafts a URL that renders a fake login form on the real MantisBT admin page. Admin credentials are submitted to an attacker-controlled server.
- Open redirect: Victim is silently redirected to a phishing or malware site.
- UI manipulation: CSS injection can hide legitimate page content and overlay attacker-controlled HTML, enabling social engineering.
Patches
- https://github.com/mantisbt/mantisbt/commit/297773fbb238c39a153bd888431b41a176132098
Workarounds
Remove the /admin directory, as recommended in the Admin Guide
Resources
- https://mantisbt.org/bugs/view.php?id=37103
- related advisory GHSA-77x8-3v3h-hrhv
Credits
McCaulay Hudson (@_McCaulay) of watchTowr
AnalysisAI
Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the MantisBT installer at /admin/install.php still be present and reachable - the Admin Guide directs operators to remove the /admin directory after setup, so hardened production instances are not exposed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector, EPSS score, or KEV entry is present in the input, so quantitative exploitation signals are unavailable and cannot be compared. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a target's /admin/install.php with malicious values in one of the six reflected parameters, embedding a fake login form whose action points to an attacker-controlled server. The attacker emails the link to a MantisBT administrator; because the page is served from the real, trusted MantisBT host, the admin trusts the forged prompt, enters credentials, and they are exfiltrated - alternatively the same injection performs a silent <meta> redirect to a malware site. … |
| Remediation | Vendor-released patch: 2.28.4 - upgrade MantisBT to 2.28.4 or later, which applies commit 297773fbb238c39a153bd888431b41a176132098 to HTML-escape the reflected form values in admin/install.php (advisory: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-vcrw-4xvv-jh49). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit your MantisBT deployments to identify instances running version 2.28.3 or earlier and determine whether the /admin/install.php page remains accessible from the network or internet. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today