CVE-2026-44657
Deferred Deferred - Pending Action
MantisBT XHTML Attachment XSS via CSRF Token

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44657
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mantisbt mantis_bug_tracker to 2.28.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-44657 vulnerability in MantisBT allows an attacker to execute arbitrary code via a stored cross-site scripting (XSS) attack, which can compromise the confidentiality and integrity of the system.

Such a compromise can lead to unauthorized access to sensitive data, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

Because the vulnerability enables code execution through crafted attachments and token reuse, it increases the risk of data breaches and unauthorized data manipulation, which are critical compliance concerns under these standards.

Therefore, organizations using affected versions of MantisBT prior to 2.28.2 may face compliance risks if this vulnerability is exploited, emphasizing the importance of applying the patch to maintain regulatory compliance.

Detection Guidance

There is no specific detection command or network signature provided in the available resources for CVE-2026-44657.

However, detection can focus on identifying vulnerable versions of MantisBT (versions prior to 2.28.2) and monitoring for usage of the vulnerable file_download.php endpoint with the show_inline=1 parameter and valid file_show_inline_token CSRF tokens.

Administrators can check the version of MantisBT installed to determine if it is vulnerable.

Additionally, monitoring HTTP requests for the presence of the show_inline=1 parameter in file_download.php requests and unusual file uploads involving XHTML and JavaScript attachments may help identify exploitation attempts.

Since no direct detection commands are provided, a recommended approach is to update MantisBT to version 2.28.2 or later to mitigate the vulnerability.

Executive Summary

This vulnerability exists in Mantis Bug Tracker (MantisBT) versions prior to 2.28.2. It involves the use of the show_inline=1 parameter along with a valid file_show_inline_token CSRF token on the file_download.php script. An attacker can exploit this by uploading a specially crafted XHTML attachment that references a JavaScript attachment, which allows the attacker to execute code.

Impact Analysis

The vulnerability allows an attacker to execute arbitrary code by uploading crafted attachments. This can lead to unauthorized actions within the MantisBT system, potentially compromising the integrity and security of the issue tracking environment.

Mitigation Strategies

The vulnerability in Mantis Bug Tracker (MantisBT) is fixed in version 2.28.2.

To mitigate this vulnerability, you should immediately upgrade your MantisBT installation to version 2.28.2 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart