CVE-2026-44655: MantisBT has Stored XSS on Move Attachments Admin Page

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. Impact Cross-site scripting (XSS). This is mitiga…

7.5CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-44655
Vendor	composer
Affected Product	mantisbt/mantisbt
Vulnerability Type	Vulnerability
CVSS Score	7.5 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page.

Impact

Cross-site scripting (XSS). This is mitigated by Content Security Policy which restricts scripts execution.

Patches

• 5cb4b469295889f5d2b01677c9bf82c143e0fdaa

Workarounds

None

🎯 Known Indicators of Compromise

{"type":"sha1","value":"5cb4b469295889f5d2b01677c9bf82c143e0fdaa","confidence_score":0.9,"first_seen":"2026-05-11","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44655 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →