CVE-2026-44657
MantisBT XHTML Attachment XSS via CSRF Token
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantis_bug_tracker | to 2.28.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-44657 vulnerability in MantisBT allows an attacker to execute arbitrary code via a stored cross-site scripting (XSS) attack, which can compromise the confidentiality and integrity of the system.
Such a compromise can lead to unauthorized access to sensitive data, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.
Because the vulnerability enables code execution through crafted attachments and token reuse, it increases the risk of data breaches and unauthorized data manipulation, which are critical compliance concerns under these standards.
Therefore, organizations using affected versions of MantisBT prior to 2.28.2 may face compliance risks if this vulnerability is exploited, emphasizing the importance of applying the patch to maintain regulatory compliance.
Can you explain this vulnerability to me?
This vulnerability exists in Mantis Bug Tracker (MantisBT) versions prior to 2.28.2. It involves the use of the show_inline=1 parameter along with a valid file_show_inline_token CSRF token on the file_download.php script. An attacker can exploit this by uploading a specially crafted XHTML attachment that references a JavaScript attachment, which allows the attacker to execute code.
How can this vulnerability impact me? :
The vulnerability allows an attacker to execute arbitrary code by uploading crafted attachments. This can lead to unauthorized actions within the MantisBT system, potentially compromising the integrity and security of the issue tracking environment.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in Mantis Bug Tracker (MantisBT) is fixed in version 2.28.2.
To mitigate this vulnerability, you should immediately upgrade your MantisBT installation to version 2.28.2 or later.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection command or network signature provided in the available resources for CVE-2026-44657.
However, detection can focus on identifying vulnerable versions of MantisBT (versions prior to 2.28.2) and monitoring for usage of the vulnerable file_download.php endpoint with the show_inline=1 parameter and valid file_show_inline_token CSRF tokens.
Administrators can check the version of MantisBT installed to determine if it is vulnerable.
Additionally, monitoring HTTP requests for the presence of the show_inline=1 parameter in file_download.php requests and unusual file uploads involving XHTML and JavaScript attachments may help identify exploitation attempts.
Since no direct detection commands are provided, a recommended approach is to update MantisBT to version 2.28.2 or later to mitigate the vulnerability.