High severityGHSA Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-44655
CVE-2026-44655
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 1.3.0, < 2.28.2 | 2.28.2 |
Affected products
2Patches
Vulnerability mechanics
References
5News mentions
1- MantisBT: Five Bugs Disclosed Together — XSS, Auth Bypass, and Missing Access ControlsVypr Intelligence · May 28, 2026