CVE-2026-34463
Stored XSS in MantisBT Issue Cloning
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantis_bug_tracker | to 2.28.2 (exc) |
| mantisbt | mantis_bug_tracker | 2.28.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Stored XSS vulnerability in Mantis Bug Tracker affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a Stored Cross-Site Scripting (XSS) issue in Mantis Bug Tracker versions 2.28.1 and prior, specifically when cloning an issue from a different project. Detection involves verifying if the MantisBT instance is running a vulnerable version and checking if the project names in the clone issue form are properly escaped.
To detect this vulnerability on your system, you can:
- Check the MantisBT version to confirm if it is 2.28.1 or earlier, which are vulnerable.
- Attempt to clone an issue from a different project and inspect the HTML source of the clone form (bug_report_page.php) to see if the project name is properly escaped or if it contains unescaped HTML that could lead to XSS.
- Look for suspicious HTML or script tags in the project name field in the clone issue form.
Suggested commands or steps:
- Use curl or wget to fetch the clone issue page for an issue from a different project, for example: curl -s -b cookies.txt 'http://your-mantisbt-instance/bug_report_page.php?m_id=ISSUE_ID' | grep -i 'project name'
- Use browser developer tools to inspect the HTML content of the clone issue form and check if the project name is escaped (e.g., special characters like <, >, & are encoded).
- If you have administrative access, verify the project names in the database or via the UI to see if any contain HTML or script tags.
Can you explain this vulnerability to me?
Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier have a Stored Cross-Site Scripting (XSS) vulnerability. This occurs when cloning an issue from a different Project than the current one. The clone form (bug_report_page.php) inserts the source Project's name before the category selector without properly escaping it. If an attacker can set the Project's name (which usually requires manager or administrator access), they can inject malicious HTML code.
This vulnerability was fixed in version 2.28.2.
How can this vulnerability impact me? :
An attacker with sufficient privileges (manager or administrator) could exploit this vulnerability to inject malicious HTML code into the application. This could lead to Stored Cross-Site Scripting attacks, potentially allowing the attacker to execute scripts in the context of other users, steal session information, perform unauthorized actions, or compromise the integrity of the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Mantis Bug Tracker to version 2.28.2 or later, where the issue has been resolved.