CVE-2026-34463

Description

When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires *manager* or *administrator* access level). ### Impact Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution. ### Patches - df22697ae497ddd93f3d9132fdf4979db8d081cd ### Workarounds Make sure Project names do not contain any HTML tags. ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue. The vulnerability was also identified and independently reported by @siunam321 (Tang Cheuk Hei), prior to this Advisory's publication.

How to fix CVE-2026-34463

To remediate CVE-2026-34463, upgrade the affected package to a fixed version below.

• —upgrade to 2.28.2 or later

Is CVE-2026-34463 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.28.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-34463
• PATCHgithub.com/mantisbt/mantisbt
• WEBgithub.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd
• WEBgithub.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2