MantisBT, Reflected XSS, CVE-2026-41897 (Medium)

Listen to this Post

The vulnerability resides in the `return_dynamic_filters.php` file. When a user provides a `filter_target` GET parameter (normally used to load custom fields via AJAX on the “View Issues” page), the code does not validate or sanitize the input. Specifically, the function extracts a numeric ID from a string starting with custom_field_. However, if an attacker injects arbitrary HTML into this ID, the value is passed unsanitized to the `print_filter_custom_field()` function. Inside print_filter_custom_field(), for a textarea custom field, the attacker-controlled value is reflected back directly into the HTML output as part of the `