XSS in Mantisbt

CVE-2026-44655

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachme…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (18.0th percentile) — read the EPSS interpretation.

Affected products

Mantisbt — versions >= 1.3.0, < 2.28.2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)