CVE-2026-41897 mantisbt CVE debrief

Who should care

Organizations running MantisBT instances with custom TEXTAREA fields and multi-user access environments. Security teams responsible for application security in bug tracking and issue management platforms.

Technical summary

The vulnerability exists in `return_dynamic_filters.php`, an AJAX endpoint used by the View Issues Page. The `filter_target` parameter accepts user-supplied input without adequate sanitization. When this parameter references a TEXTAREA custom field, unvalidated HTML can be injected and subsequently rendered in the browser context of other users. This constitutes a stored XSS condition requiring authenticated access to exploit. The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N reflects network attack vector, low attack complexity, low privileges required, and low impacts to confidentiality and integrity with no availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade MantisBT to version 2.28.2 or later to remediate this vulnerability.
• Review and validate all custom TEXTAREA fields for unexpected HTML content if running affected versions.
• Implement Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors.
• Audit access logs for requests to return_dynamic_filters.php with unusual filter_target parameters prior to patching.

Evidence notes

Vulnerability affects MantisBT 1.0.0 to 2.28.1. Fix commit c885af13f0b8596714ffe11df757c09f35fbd8f4 addresses the validation gap. Official GitHub Security Advisory GHSA-j7v9-f46r-2rp4 and MantisBT bug tracker issue 37013 confirm technical details.

Official resources