Skip to main content

Move Attachments EUVDEUVD-2026-33025

| CVE-2026-44655 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 https://github.com/mantisbt/mantisbt GHSA-7mqj-8gj2-cg59
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 28, 2026 - 21:22 NVD
8.6 (HIGH)
CVE Published
May 11, 2026 - 19:40 nvd
HIGH

DescriptionGitHub Advisory

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page.

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

Patches

  • 5cb4b469295889f5d2b01677c9bf82c143e0fdaa

Workarounds

None

Analysis

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page.

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

Patches

  • 5cb4b469295889f5d2b01677c9bf82c143e0fdaa

Workarounds

None

Share

EUVD-2026-33025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy