High severity7.5GHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT Vulnerable to Stored XSS in File Download

CVE-2026-44657

Description

Using *show_inline=1* parameter and a valid *file_show_inline_token* CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment.

Impact

Cross-site scripting

### Patches - 26647b2e68ba30b9d7987d4e03d7a16416684bc2

Workarounds

None

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Affected products

Mantisbt/MantisbtGHSA
Range: <= 2.28.1

Patches

26647b2e68ba

Restrict MIME type for file downloads

https://github.com/mantisbt/mantisbtDamien RegadMay 3, 2026via ghsa

commit

1 file changed · +19 −2

file_download.php+19 −2 modified

@@ -196,6 +196,7 @@
 );
 $t_mime_force_attachment = array(
 	'application/x-shockwave-flash',
+	'application/javascript',
 	'image/svg+xml', # SVG could contain CSS or scripting, see #30384
 	'text/html',
 );
@@ -206,8 +207,24 @@
 
 if( in_array( $t_mime_type, $t_mime_force_inline ) ) {
 	$t_show_inline = true;
-} else if( in_array( $t_mime_type, $t_mime_force_attachment ) ) {
-	$t_show_inline = false;
+
+	# For attachments allowed inline, use the file's actual MIME type as-is
+} else {
+	if( in_array( $t_mime_type, $t_mime_force_attachment ) ) {
+		$t_show_inline = false;
+	}
+
+	# Set Content-Type based on MIME type
+	[$t_type] = explode( '/', $t_mime_type );
+	if( $t_type == 'text' ) {
+		# Ensures we don't interpret HTML, JavaScript, etc.
+		$t_content_type = 'text/plain';
+	} elseif( in_array( $t_type, ['audio', 'video'] ) ) {
+		# No special treatment needed for audio & video
+	} else {
+		# Everything else
+		$t_content_type = 'application/octet-stream';
+	}
 }
 
 http_content_disposition_header( $t_filename, $t_show_inline );

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000