PatchSiren cyber security CVE debrief
CVE-2026-44657 mantisbt CVE debrief
Mantis Bug Tracker (MantisBT) versions prior to 2.28.2 contain a stored cross-site scripting vulnerability that can lead to code execution. An attacker with the ability to upload attachments can craft a malicious XHTML file that references a separate JavaScript attachment. When a victim accesses the file_download.php endpoint with the show_inline=1 parameter and a valid file_show_inline_token CSRF token, the embedded script executes in the victim's browser context. The vulnerability requires user interaction and low privileges, but results in high impact to confidentiality and integrity per the CVSS 4.0 vector. The issue was resolved in MantisBT 2.28.2 through a security patch.
- Vendor
- mantisbt
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running MantisBT issue tracking systems, particularly those allowing file attachments from multiple users or external parties. Security teams responsible for web application security and content management systems. Development teams maintaining MantisBT deployments or forks. Incident response teams investigating potential compromise of MantisBT instances through malicious attachments.
Technical summary
The vulnerability exists in MantisBT's file download functionality when handling inline display of XHTML attachments. The show_inline=1 parameter on file_download.php enables browser rendering of attachment content. A valid file_show_inline_token CSRF token is required, but once obtained, an attacker can chain a crafted XHTML attachment (uploaded to the system) with a reference to a JavaScript attachment to achieve script execution. The attack is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The fix in commit 26647b2e68ba30b9d7987d4e03d7a16416684bc2 addresses the improper neutralization. The CVSS 4.0 score of 7.5 (HIGH) reflects the significant confidentiality and integrity impact despite the required user interaction and present attack requirements.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade MantisBT to version 2.28.2 or later to remediate this vulnerability
- Review file attachment upload policies and consider restricting XHTML and JavaScript file types if not required for business operations
- Implement Content Security Policy headers to mitigate impact of any residual XSS vectors
- Audit existing attachments for suspicious XHTML files referencing JavaScript content, particularly those uploaded prior to patching
- Validate that file_show_inline_token CSRF tokens are properly scoped and time-limited to reduce attack window
- Monitor access logs for file_download.php requests with show_inline=1 parameter targeting unusual attachment combinations
Evidence notes
CVE description confirms stored XSS via crafted XHTML attachment with JavaScript reference. CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L) indicates network attack vector, low attack complexity, present attack requirements, low privileges required, user interaction needed, with high confidentiality and integrity impact. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the primary weakness. Fix confirmed via GitHub commit 26647b2e68ba30b9d7987d4e03d7a16416684bc2. Multiple GitHub Security Advisories (GHSA-9c3j-xm6v-j7j3, GHSA-p6fr-rxq7-xcg8) and MantisBT bug tracker issue 37020 document the vulnerability.
Official resources
2026-05-28