CVE-2026-44655

Severity CVSS v4.0:
HIGH
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
28/05/2026
Last modified:
29/05/2026

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2.