CVE-2026-34463: MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form

May 11, 2026 (updated June 5, 2026)

When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project’s name (which typically requires manager or administrator access level).

References

github.com/advisories/GHSA-fvjf-68wh-rwp2
github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd
github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2
mantisbt.org/bugs/view.php?id=36986
nvd.nist.gov/vuln/detail/CVE-2026-34463

Code Behaviors & Features

Detect and mitigate CVE-2026-34463 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →