VYPR
High severityGHSA Advisory· Published May 28, 2026· Updated May 29, 2026

CVE-2026-44657

CVE-2026-44657

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
< 2.28.22.28.2

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

1