HTML Injection Vulnerability in Mantis Bug Tracker by MantisBT
CVE-2026-44655
8.6HIGH
What is CVE-2026-44655?
Mantis Bug Tracker, an open-source issue tracking system, is vulnerable to an HTML injection flaw that allows users with manager or administrator privileges to inject malicious HTML via an unescaped project name. This vulnerability affects versions from 1.3.0 to 2.28.1, but has been addressed in version 2.28.2. Attackers could exploit this vulnerability to manipulate the Move Attachments admin page, posing a significant risk to the integrity of the application.
Affected Version(s)
mantisbt >= 1.3.0, < 2.28.2
