CVE-2026-34463 Overview
CVE-2026-34463 is a Stored Cross-Site Scripting (XSS) vulnerability in Mantis Bug Tracker (MantisBT), an open source issue tracker. The flaw affects versions 2.28.1 and prior. When a user clones an issue originating from a different project, the clone form bug_report_page.php prepends the source project name before the category selector without proper escaping. An attacker who can set a project's name, typically requiring manager or administrator access, can inject HTML or JavaScript that executes in the browser of any user cloning an affected issue. Maintainers resolved the issue in version 2.28.2. The vulnerability is classified under CWE-79.
Critical Impact
A privileged attacker can inject persistent JavaScript that executes in the context of any user cloning a cross-project issue, enabling session theft, privilege escalation, and account takeover within MantisBT.
Affected Products
- Mantis Bug Tracker (MantisBT) versions 2.28.1 and prior
- MantisBT instances permitting cross-project issue cloning
- Deployments where manager or administrator accounts are not strictly limited
Discovery Timeline
- 2026-05-19 - CVE-2026-34463 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-34463
Vulnerability Analysis
The vulnerability resides in the issue clone workflow exposed by bug_report_page.php. When a user clones an issue that originated in a project different from the currently selected project, MantisBT displays a contextual label that includes the source project's name. The rendering logic concatenates this project name directly into the HTML output immediately before the category selector control, bypassing the output encoding routines used elsewhere in the form. Because project names are persisted in the database and rendered each time the clone form loads, the injection produces a stored XSS condition rather than a reflected one. The payload executes with the privileges and session context of any user who interacts with the cross-project clone form.
Root Cause
The root cause is missing HTML output escaping when concatenating the source project name into the clone form view. MantisBT trusts project name data on the assumption that only managers or administrators can write it, but trust at the input layer does not substitute for contextual encoding at the output layer. The defect is a textbook CWE-79 Improper Neutralization of Input During Web Page Generation.
Attack Vector
Exploitation requires an account with manager or administrator privileges, or a successful compromise of such an account. The attacker sets a project's display name to a string containing an HTML or JavaScript payload. When any user, including higher-privileged administrators, clones an issue belonging to that project from a different project context, the payload executes in their browser. Successful exploitation can steal session cookies, perform actions as the victim, modify issue data, or pivot to broader administrative compromise. Technical details are documented in the GitHub Security Advisory GHSA-fvjf-68wh-rwp2 and the upstream fix commit.
Detection Methods for CVE-2026-34463
Indicators of Compromise
- Project names in the MantisBT database containing HTML tags, <script> elements, event handler attributes such as onerror= or onload=, or javascript: URIs.
- Web server access logs showing requests to bug_report_page.php with unusual Referer or session cookie exfiltration patterns following a project rename.
- Audit log entries showing project name modifications performed by manager or administrator accounts shortly before anomalous session activity.
Detection Strategies
- Query the mantis_project_table for project names containing characters such as <, >, ", or = and review any matches for injected markup.
- Inspect rendered HTML from bug_report_page.php when cloning cross-project issues to confirm the source project name is properly entity-encoded.
- Correlate administrative project-rename events with subsequent outbound network requests from analyst browsers to untrusted domains.
Monitoring Recommendations
- Enable and centralize MantisBT audit logs covering project creation, renames, and permission changes for review by the security team.
- Forward web server access logs for the MantisBT instance to a SIEM and alert on suspicious payload patterns in request parameters and stored fields.
- Monitor browser security telemetry for Content Security Policy violations originating from MantisBT pages.
How to Mitigate CVE-2026-34463
Immediate Actions Required
- Upgrade MantisBT to version 2.28.2 or later, which contains the fix applied in commit df22697ae497ddd93f3d9132fdf4979db8d081cd.
- Audit all existing project names and remove or sanitize any entries containing HTML or JavaScript syntax.
- Review accounts holding manager or administrator privileges and revoke access that is not strictly required.
Patch Information
The MantisBT maintainers fixed the issue in version 2.28.2. The patch applies proper HTML escaping to the source project name rendered by bug_report_page.php before the category selector. Administrators should consult the GitHub Security Advisory GHSA-fvjf-68wh-rwp2, the upstream commit, and MantisBT Bug Report #36986 for full remediation details.
Workarounds
- Restrict the manager and administrator roles to a minimal set of trusted users until the upgrade is deployed.
- Enforce a strict Content Security Policy on the MantisBT web application to block inline script execution.
- Manually validate that all project names contain only alphanumeric and safe punctuation characters, and reject names containing HTML metacharacters.
# Identify potentially malicious project names in MySQL/MariaDB before upgrading
mysql -u mantis_user -p mantis_db -e "SELECT id, name FROM mantis_project_table WHERE name REGEXP '[<>\"=]' OR name LIKE '%script%' OR name LIKE '%javascript:%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
