GHSA-fvjf-68wh-rwp2

Source

https://github.com/advisories/GHSA-fvjf-68wh-rwp2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fvjf-68wh-rwp2/GHSA-fvjf-68wh-rwp2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fvjf-68wh-rwp2

Aliases

CVE-2026-34463

Published

2026-05-11T19:32:11Z

Modified

2026-05-11T19:48:55.768071Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form

Details

When cloning an issue originating from a Project other than the current one, the clone form (bugreportpage.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires manager or administrator access level).

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

Patches

df22697ae497ddd93f3d9132fdf4979db8d081cd

Workarounds

Make sure Project names do not contain any HTML tags.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

The vulnerability was also identified and independently reported by @siunam321 (Tang Cheuk Hei), prior to this Advisory's publication.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:32:11Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.28.2

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.13.2

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.18.0

2.18.1

2.19.0

2.19.1

2.20.0

2.20.1

2.21.0

2.21.1

2.21.2

2.21.3

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.24.0

2.24.1

2.24.2

2.24.3

2.24.4

2.24.5

2.25.0

2.25.1

2.25.2

2.25.3

2.25.4

2.25.5

2.25.6

2.25.7

2.25.8

2.26.0

2.26.1

2.26.2

2.26.3

2.26.4

2.27.0

2.27.1

2.27.2

2.27.3

2.28.0

2.28.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fvjf-68wh-rwp2/GHSA-fvjf-68wh-rwp2.json"

last_known_affected_version_range

"<= 2.28.1"