Medium severityGHSA Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-41897
CVE-2026-41897
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 1.0.0, < 2.28.2 | 2.28.2 |
Affected products
2Patches
Vulnerability mechanics
References
5News mentions
1- MantisBT: Five Bugs Disclosed Together — XSS, Auth Bypass, and Missing Access ControlsVypr Intelligence · May 28, 2026