High severity8.6GHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form

CVE-2026-34463

Description

When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires *manager* or *administrator* access level).

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

### Patches - df22697ae497ddd93f3d9132fdf4979db8d081cd

Workarounds

Make sure Project names do not contain any HTML tags.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

The vulnerability was also identified and independently reported by @siunam321 (Tang Cheuk Hei), prior to this Advisory's publication.

Affected products

Mantisbt/MantisbtGHSA
Range: <= 2.28.1

Patches

df22697ae497

Escape Project name in bug_report_page.php

https://github.com/mantisbt/mantisbtDamien RegadMar 28, 2026via ghsa

commit

1 file changed · +3 −1

bug_report_page.php+3 −1 modified

@@ -278,7 +278,9 @@
 		<td>
 			<?php if( $t_changed_project ) {
 				/** @noinspection PhpUndefinedVariableInspection */
-				echo '[' . project_get_field( $t_bug->project_id, 'name' ) . '] ';
+				echo '['
+					. string_html_specialchars( project_get_field( $t_bug->project_id, 'name' ) )
+					. '] ';
 			} ?>
 			<select id="category_id" name="category_id" class="autofocus input-sm" <?php
 				echo helper_get_tab_index();

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000