CVE-2026-44655: MantisBT has Stored XSS on Move Attachments Admin Page

May 11, 2026

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page.

References

github.com/advisories/GHSA-7mqj-8gj2-cg59
github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa
github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59
mantisbt.org/bugs/view.php?id=37099
nvd.nist.gov/vuln/detail/CVE-2026-44655

Code Behaviors & Features

Detect and mitigate CVE-2026-44655 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →