CVE-2026-44655 mantisbt CVE debrief

Who should care

MantisBT administrators and security teams managing issue tracking infrastructure. Organizations with delegated project management responsibilities where lower-privileged managers may have project configuration access. Security auditors reviewing web application access controls and output encoding implementations.

Technical summary

The vulnerability exists in MantisBT's handling of Project Name display on the Move Attachments administration page. The application fails to apply HTML entity encoding when rendering project names in this specific context, permitting injection of arbitrary HTML and JavaScript. The attack surface is constrained to users with elevated privileges (manager or administrator) who can modify project configuration. The fix in commit 5cb4b469295889f5d2b01677c9bf82c143e0fdaa implements proper escaping to neutralize injected markup.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade MantisBT to version 2.28.2 or later to remediate this vulnerability.
• Review and audit Project Name values in existing MantisBT installations for unexpected HTML or script content.
• Implement principle of least privilege by limiting manager and administrator account assignments.
• Enable Content Security Policy (CSP) headers as a defense-in-depth measure to mitigate impact of any residual XSS vectors.
• Monitor administrative access logs for unusual Project Name modification activity.

Evidence notes

Vulnerability affects MantisBT 1.3.0 to 2.28.1. Fixed in 2.28.2. Attack requires manager/administrator access to modify Project Name. CWE-79 (Improper Neutralization of Input During Web Page Generation). CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

Official resources