How is CVE-2026-44657 exploited?

Network reachability (required): The attacker must reach the MantisBT instance over the network to upload the crafted attachment and deliver the inline-download link to a victim. Authentication (required): A low-privilege account in MantisBT is sufficient; the attacker only needs enough access to upload file attachments to a project. Victim interaction (required): A victim must open the malicious inline file link (for example, by clicking an attacker-supplied URL or being directed to the crafted attachment), providing a social-engineering vector. Attack complexity (info): While the exploit itself is straightforward once the attachment is uploaded, it requires an attacker-triggered pre-condition: possession of a valid file_show_inline_token CSRF token, which introduces an environmental dependency.

What is the impact of CVE-2026-44657?

The attacker's JavaScript runs in the victim's browser session, giving full read access to the victim's MantisBT session token and any data visible in that session. The attacker can issue authenticated requests as the victim, modifying issue records, comments, attachments, and project configuration within the victim's permission scope. Session hijacking allows the attacker to maintain persistent access to the tracker even after the victim logs out, until the token is invalidated. Availability impact is rated low: the exploit does not directly crash the service, but abuse of victim sessions can degrade data integrity across the tracker.

Back to search

HIGHCVE-2026-44657Published 2026-05-28Modified 2026-05-29CNA GitHub_M

CVE-2026-44657: MantisBT: Stored XSS in File Download

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) via crafted file attachment in MantisBT (Mantis Bug Tracker) prior to version 2.28.2. An authenticated attacker can upload a malicious XHTML attachment that references a JavaScript attachment, then trick a victim into opening it via the file_download.php endpoint with the show_inline=1 parameter and a valid CSRF token. Successful exploitation gives the attacker full control over the victim's session in the browser, allowing them to read and modify data as that user. HarborGuard tracks this advisory and will make a patched-image rebuild available once an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle MantisBT. Any image running a MantisBT version below 2.28.2 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v4.0 vector and weights findings against each customer's per-environment compliance policy before routing alerts to the appropriate team inbox within that organization.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MantisBT instance over the network to upload the crafted attachment and deliver the inline-download link to a victim.
AuthenticationRequired
A low-privilege account in MantisBT is sufficient; the attacker only needs enough access to upload file attachments to a project.
Victim interactionRequired
A victim must open the malicious inline file link (for example, by clicking an attacker-supplied URL or being directed to the crafted attachment), providing a social-engineering vector.
Attack complexityDetail
While the exploit itself is straightforward once the attachment is uploaded, it requires an attacker-triggered pre-condition: possession of a valid file_show_inline_token CSRF token, which introduces an environmental dependency.

Blast Radius

The attacker's JavaScript runs in the victim's browser session, giving full read access to the victim's MantisBT session token and any data visible in that session.
The attacker can issue authenticated requests as the victim, modifying issue records, comments, attachments, and project configuration within the victim's permission scope.
Session hijacking allows the attacker to maintain persistent access to the tracker even after the victim logs out, until the token is invalidated.
Availability impact is rated low: the exploit does not directly crash the service, but abuse of victim sessions can degrade data integrity across the tracker.

How HarborGuard Handles This

Available on HarborGuard: images bundling MantisBT below version 2.28.2 are flagged as soon as the CVE is ingested, which happens within minutes of publication. Because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available immediately upon upstream release. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict who can reach the file_download.php endpoint, disabling inline file rendering via MantisBT configuration if the feature is not required, and enforcing strict attachment-type allowlists to block XHTML and JavaScript uploads at the application layer.

See how HarborGuard automates this

CVSS v4.0: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mantisbt / mantisbt
< 2.28.2

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References