XSS in Mantisbt

CVE-2026-41897

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject ar…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (15.7th percentile) — read the EPSS interpretation.

Affected products

Mantisbt — versions >= 1.0.0, < 2.28.2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)