PatchSiren cyber security CVE debrief
CVE-2026-34463 mantisbt CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior. The flaw occurs in the issue cloning workflow: when a user clones an issue from a different project, the bug_report_page.php form prepends the source project's name before the category selector without proper HTML escaping. An attacker with manager or administrator privileges—who can set project names—can inject malicious HTML/JavaScript into the project name field. When another user subsequently clones an issue from that project, the injected payload executes in their browser context. The vulnerability was resolved in MantisBT 2.28.2.
- Vendor
- mantisbt
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Organizations running MantisBT instances with multiple projects and delegated administrative access should prioritize this patch. The high privilege requirement (manager/administrator) limits the attack surface but does not eliminate risk in environments with many project managers or compromised administrative accounts. Security teams should also assess whether project naming conventions and user access controls adequately prevent insider threats or account takeover scenarios that could enable exploitation.
Technical summary
The vulnerability stems from insufficient output encoding in MantisBT's bug_report_page.php. When rendering the clone issue form, the application concatenates the source project name directly into HTML output without entity encoding or sanitization. The project name field, writable by users with manager or administrator roles, becomes an injection point for JavaScript payloads. The stored nature of this XSS means the malicious content persists in the project configuration and executes whenever the cloning workflow is initiated from that project. The fix implements proper escaping of the project name before HTML rendering, neutralizing script injection while preserving legitimate display functionality.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade MantisBT to version 2.28.2 or later to remediate this vulnerability
- Review project names in existing MantisBT installations for suspicious HTML/JavaScript content, particularly those created by administrative users
- Implement principle of least privilege for project management capabilities, limiting the number of users with project name modification rights
- Consider additional output encoding validation for project metadata fields as a defense-in-depth measure
- Monitor web application logs for unusual patterns in issue cloning activities that may indicate exploitation attempts
- Review and update Content Security Policy (CSP) headers to mitigate impact of any undiscovered XSS vectors in MantisBT
Evidence notes
The vulnerability description is sourced from the official CVE record and NVD entry, with additional technical details from the GitHub Security Advisory and MantisBT issue tracker. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, high privileges required, and high impacts to confidentiality, integrity, and availability. The CWE-79 classification confirms stored XSS. The fix commit df22697ae497ddd93f3d9132fdf4979db8d081cd addresses the escaping deficiency in bug_report_page.php.
Official resources
2026-05-19