High severity8.6GHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT has Stored XSS on Move Attachments Admin Page

CVE-2026-44655

Description

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page.

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

### Patches - 5cb4b469295889f5d2b01677c9bf82c143e0fdaa

Workarounds

None

Affected products

Mantisbt/MantisbtGHSA
Range: >= 1.3.0, <= 2.28.1

Patches

5cb4b4692958

Fix XSS on move_attachments_page.php

https://github.com/mantisbt/mantisbtDamien RegadMay 3, 2026via ghsa

commit

1 file changed · +1 −1

admin/move_attachments_page.php+1 −1 modified

@@ -163,7 +163,7 @@ function get_attachment_stats( $p_file_type, $p_in_db ) {
 		}
 
 		echo '<tr>';
-		echo '<td>' . $t_project['name'] . '</td>';
+		echo '<td>' . string_html_specialchars( $t_project['name'] ) . '</td>';
 		echo '<td class="left">' . $t_file_path . '</td>';
 		echo '<td class="center">' . $t_disk_count . '</td>';
 		echo '<td class="center">' . $t_db_count . '</td>';

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000