MantisBT: Five Bugs Disclosed Together — XSS, Auth Bypass, and Missing Access Controls

Key findings

• CVE-2026-44657 allows code execution via crafted XHTML attachments with show_inline=1
• CVE-2026-42071 lets any authenticated user download private bugnote attachments via REST API
• CVE-2026-41897 and CVE-2026-44655 are HTML injection flaws affecting versions back to 1.0.0
• Four of five CVEs fixed in MantisBT 2.28.2; CVE-2026-41897 fixed in 2.28.0
• No active exploitation reported at time of disclosure

The open-source issue tracker Mantis Bug Tracker (MantisBT) had five security vulnerabilities disclosed together on May 28, 2026, covering cross-site scripting (XSS), authorization bypass, and missing access control flaws. The batch affects versions ranging from as early as 1.0.0 up to 2.28.1, and all reported issues have been addressed in releases 2.28.2 and 2.28.0.

**Code execution via crafted XHTML attachments (CVE-2026-44657)**

The most severe of the batch, CVE-2026-44657 (High), allows an attacker to execute code by uploading a crafted XHTML attachment that references a JavaScript attachment. The attack leverages the show_inline=1 parameter on file_download.php together with a valid file_show_inline_token CSRF token. This vulnerability affects all versions prior to 2.28.2, where it has been fixed.

**HTML injection via Project Name (CVE-2026-44655)**

CVE-2026-44655 (High) affects MantisBT versions 1.3.0 through 2.28.1. An unescaped Project Name field allows an attacker who can set it — typically requiring manager or administrator access level — to inject arbitrary HTML into the Move Attachments admin page. The fix was released in version 2.28.2.

**Missing authorization check on private bugnote attachments (CVE-2026-42071)**

CVE-2026-42071 (High) affects versions 2.23.0 through 2.28.1. A missing authorization check in MantisBT's file visibility function allows any authenticated user with at least REPORTER access to download attachments on private bugnotes they should not be able to access. The attack is carried out via the REST API endpoint GET /api/rest/issues/{id}/notes/{note_id}/files/{file_id}. This was fixed in 2.28.2.

**Bugnote editing bypass for other users (CVE-2026-42070)**

CVE-2026-42070 (Medium) affects versions prior to 2.28.2. The mc_issue_update() function allows users who have update_bug_threshold access (UPDATER, by default) to edit, change view state, and modify time tracking on bugnotes belonging to other users — bypassing the default developer-level restrictions that should prevent such actions. The fix is included in 2.28.2.

**HTML injection via filter_target parameter (CVE-2026-41897)**

CVE-2026-41897 (Medium) affects versions 1.0.0 through 2.28.1. A lack of validation on the filter_target parameter in return_dynamic_filters.php — normally used as an AJAX endpoint on the View Issues Page — allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This was fixed in 2.28.2.

Patch status and response

MantisBT project maintainers released version 2.28.2 to address four of the five CVEs (CVE-2026-44657, CVE-2026-44655, CVE-2026-42071, CVE-2026-42070), while CVE-2026-41897 was fixed in the earlier 2.28.0 release. Users running any version below 2.28.2 are advised to upgrade immediately. No in-the-wild exploitation has been reported for any of these CVEs at the time of disclosure.

Why this matters

This batch highlights a recurring theme in mature open-source projects: a mix of longstanding issues (some dating back to version 1.0.0) and newer flaws introduced in recent feature development. For organizations running MantisBT as their primary issue tracker, the authorization bypass in CVE-2026-42071 is particularly concerning, as it allows any authenticated user — not just those with elevated privileges — to exfiltrate private bugnote attachments via the REST API. Administrators should prioritize upgrading to 2.28.2 and review their custom field configurations in light of the HTML injection flaws.