Code Execution Vulnerability in Mantis Bug Tracker
CVE-2026-44657
7.5HIGH
What is CVE-2026-44657?
The Mantis Bug Tracker is vulnerable to a code execution flaw that affects versions prior to 2.28.2. This vulnerability arises when the show_inline=1 parameter is combined with a valid file_show_inline_token CSRF token within the file_download.php file. By manipulating this feature and uploading a specially crafted XHTML attachment that references a JavaScript file, an attacker can execute arbitrary code on the server. It is recommended that users upgrade to version 2.28.2 or later to mitigate this security risk.
Affected Version(s)
mantisbt < 2.28.2
