CVE-2026-34463: MantisBT is Vulnerable to Stored HTML Injection/XSS in Clone Issue Form

7.5CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-34463
Vendor	composer
Affected Product	mantisbt/mantisbt
Vulnerability Type	Vulnerability
CVSS Score	7.5 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires *manager* or *administrator* access level).

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

Patches

• df22697ae497ddd93f3d9132fdf4979db8d081cd

Workarounds

Make sure Project names do not contain any HTML tags.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue. The vulnerability was also identified and independently reported by @siunam321 (Tang Cheuk Hei), prior to this Adviso

🎯 Known Indicators of Compromise

{"type":"sha1","value":"df22697ae497ddd93f3d9132fdf4979db8d081cd","confidence_score":0.9,"first_seen":"2026-05-11","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-34463 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →