Skip to main content

MantisBT CVE-2026-52881

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-07-15 https://github.com/mantisbt/mantisbt
Share

Severity by source

vuln.today AI
6.1 MEDIUM

Network-reachable unauthenticated installer reflection requires the victim admin to click a link and submit a form (UI:R), crosses into the browser context (S:C), and CSP caps impact to limited phishing/redirect (C:L/I:L, A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 19:01 vuln.today
Analysis Generated
Jul 15, 2026 - 19:01 vuln.today
CVE Published
Jul 15, 2026 - 18:34 cve.org
CRITICAL

DescriptionCVE.org

MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via an unescaped printf format string. No authentication is required.

A Content Security Policy (script-src 'self') prevents inline JavaScript execution, but the CSP is missing a form-action directive, allowing exploitation via credential-phishing form injection and <meta> open redirects.

Impact

  • Credential phishing: Attacker crafts a URL that renders a fake login form on the real MantisBT admin page. Admin credentials are submitted to an attacker-controlled server.
  • Open redirect: Victim is silently redirected to a phishing or malware site.
  • UI manipulation: CSS injection can hide legitimate page content and overlay attacker-controlled HTML, enabling social engineering.

Patches

  • https://github.com/mantisbt/mantisbt/commit/297773fbb238c39a153bd888431b41a176132098

Workarounds

Remove the /admin directory, as recommended in the Admin Guide

Resources

Credits

McCaulay Hudson (@_McCaulay) of watchTowr

AnalysisAI

Reflected cross-site scripting in MantisBT 2.28.3 and earlier lets remote attackers inject HTML into the unauthenticated /admin/install.php installer page through six user-supplied parameters echoed via an unescaped printf format string. Because the application ships a script-src 'self' Content Security Policy that lacks a form-action directive, an attacker cannot run inline JavaScript but can render fake credential-harvesting login forms, perform <meta>-based open redirects, and overlay attacker HTML via CSS injection on the legitimate admin page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with malicious install.php parameter
Delivery
Send link to MantisBT administrator
Exploit
Reflected input renders fake login form
Execution
Admin submits credentials to attacker server
Impact
Credentials exfiltrated / victim redirected

Vulnerability AssessmentAI

Exploitation Exploitation requires that the MantisBT installer at /admin/install.php still be present and reachable - the Admin Guide directs operators to remove the /admin directory after setup, so hardened production instances are not exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector, EPSS score, or KEV entry is present in the input, so quantitative exploitation signals are unavailable and cannot be compared. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a target's /admin/install.php with malicious values in one of the six reflected parameters, embedding a fake login form whose action points to an attacker-controlled server. The attacker emails the link to a MantisBT administrator; because the page is served from the real, trusted MantisBT host, the admin trusts the forged prompt, enters credentials, and they are exfiltrated - alternatively the same injection performs a silent <meta> redirect to a malware site. …
Remediation Vendor-released patch: 2.28.4 - upgrade MantisBT to 2.28.4 or later, which applies commit 297773fbb238c39a153bd888431b41a176132098 to HTML-escape the reflected form values in admin/install.php (advisory: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-vcrw-4xvv-jh49). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit your MantisBT deployments to identify instances running version 2.28.3 or earlier and determine whether the /admin/install.php page remains accessible from the network or internet. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-52881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy