CVE-2026-44655 — MantisBT has Stored XSS on Move Attachments Admin Page

Description

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. ### Impact Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution. ### Patches - 5cb4b469295889f5d2b01677c9bf82c143e0fdaa ### Workarounds None

How to fix CVE-2026-44655

To remediate CVE-2026-44655, upgrade the affected package to a fixed version below.

Packagist/mantisbt/mantisbt—upgrade to 2.28.2 or later

Is CVE-2026-44655 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.3.0, < 2.28.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-44655
PATCHgithub.com/mantisbt/mantisbt
WEBgithub.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa
WEBgithub.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59