CVE-2026-41897 | THREATINT

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-28 | Updated 2026-05-30 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 1.0.0, < 2.28.2

affected

References

github.com/...ntisbt/security/advisories/GHSA-j7v9-f46r-2rp4

github.com/...ommit/c885af13f0b8596714ffe11df757c09f35fbd8f4

mantisbt.org/bugs/view.php?id=37013

cve.org (CVE-2026-41897)

nvd.nist.gov (CVE-2026-41897)

Download JSON