How is CVE-2026-44655 exploited?

Network reachability (required): The attacker must reach the MantisBT instance over the network to set a malicious Project Name and trigger rendering on the Move Attachments admin page. Authentication (required): A manager- or administrator-level account is needed to set the Project Name; a low-privilege account is not sufficient. Victim interaction (not-required): No victim interaction is required from the perspective of the attacker injecting the payload; the XSS fires when any admin loads the Move Attachments page. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special race conditions or environmental prerequisites beyond having the required account.

What is the impact of CVE-2026-44655?

An attacker can read the victim admin's active session tokens, enabling account takeover without needing credentials. Injected scripts can issue authenticated requests on behalf of the victim, modifying project settings, user roles, or issue data within MantisBT. The attacker can harvest credentials or other sensitive data entered by the victim while the malicious script is active in their browser session. Full confidentiality, integrity, and availability of the vulnerable MantisBT instance are at risk within the scope of the authenticated victim's permissions.

Back to search

HIGHCVE-2026-44655Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-44655: MantisBT: Stored XSS on Move Attachments Admin Page

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) affects MantisBT versions 1.3.0 through 2.28.1. An authenticated user with manager or administrator privileges can inject arbitrary HTML into the Move Attachments admin page by setting a malicious Project Name, which is then rendered unescaped to any admin who views that page. Successful exploitation allows the attacker to execute scripts in the browser of another admin, enabling session theft, credential harvesting, or unauthorized actions performed in the victim's context. Note: the description states this is fixed in 2.28.2, but no fix version has been published to the advisory record yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-44655 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle MantisBT. Any image containing a MantisBT release in the affected range (1.3.0 to 2.28.1) will surface this finding automatically.

Available

Triage

Triage is available with a CVSS v4.0 score of 8.6 (HIGH), applied consistently across findings for this CVE. Per-environment compliance policy weighting can escalate or adjust priority, and routing rules direct the finding to the appropriate team inbox inside each customer organization.

Available

Patch

No fix version has been published to the upstream advisory record at this time, so no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available the moment an upstream fix is confirmed and published.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MantisBT instance over the network to set a malicious Project Name and trigger rendering on the Move Attachments admin page.
AuthenticationRequired
A manager- or administrator-level account is needed to set the Project Name; a low-privilege account is not sufficient.
Victim interactionNot required
No victim interaction is required from the perspective of the attacker injecting the payload; the XSS fires when any admin loads the Move Attachments page.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special race conditions or environmental prerequisites beyond having the required account.

Blast Radius

An attacker can read the victim admin's active session tokens, enabling account takeover without needing credentials.
Injected scripts can issue authenticated requests on behalf of the victim, modifying project settings, user roles, or issue data within MantisBT.
The attacker can harvest credentials or other sensitive data entered by the victim while the malicious script is active in their browser session.
Full confidentiality, integrity, and availability of the vulnerable MantisBT instance are at risk within the scope of the authenticated victim's permissions.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-44655 is active across all environments with images containing MantisBT in the affected version range. Because no upstream fix version has been confirmed in the advisory record at this time, no automated patched-image rebuild is queued. HarborGuard will re-check the advisory on every ingest cycle and make a rebuild available the moment an upstream release is confirmed. In the interim, compensating controls worth considering include restricting network access to the MantisBT admin interface via network policy (limiting which source IPs or internal namespaces can reach the admin pages), auditing which accounts hold manager or administrator roles to minimize the set of principals who could set a malicious Project Name, and monitoring admin-page access logs for unexpected Project Name values containing HTML or script tags. For customers with auto-remediation enabled, a patched-image rebuild, regression-test run, and PR against affected workloads will be initiated automatically once a fix version is available upstream.

See how HarborGuard automates this

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mantisbt / mantisbt
>= 1.3.0, < 2.28.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References