Vulnerability in Mantis Bug Tracker Allows HTML Injection
CVE-2026-41897

5.3MEDIUM

Key Information:

Vendor

Mantisbt

Status
Vendor
CVE Published:
28 May 2026

What is CVE-2026-41897?

The Mantis Bug Tracker, an open-source issue tracking system, is susceptible to an HTML injection issue due to insufficient validation of the 'filter_target' parameter in the 'return_dynamic_filters.php' file. This vulnerability affects versions from 1.0.0 to 2.28.1. Attackers could exploit this flaw to inject arbitrary HTML into TEXTAREA custom fields, compromising data integrity and potentially executing malicious scripts within the application context. This issue was addressed in version 2.28.2, highlighting the importance of keeping software updated to mitigate security risks.

Affected Version(s)

mantisbt >= 1.0.0, < 2.28.2

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.