MantisBT, Stored XSS, CVE-2026-44657 (High)

Listen to this Post

How the mentioned CVE works

This stored cross-site scripting vulnerability resides in MantisBT’s file download mechanism. By default, the `file_download.php` script uses the `http_content_disposition_header` function to serve attachments. When a user supplies the `show_inline=1` parameter alongside a valid `file_show_inline_token` CSRF token, the forced inline rendering bypasses the normal download logic.
The vulnerability stems from an incomplete MIME type blacklist in the `$t_mime_force_attachment` array – the array includes application/x-shockwave-flash, image/svg+xml, and text/html, but excluded text/xml. An attacker can upload a crafted XHTML file (detected as `text/xml` by PHP’s Fileinfo) and combine it with a CSRF token. The CSRF token is not invalidated after use, so an attacker can first obtain a valid token by uploading an innocent image, audio, or video file, then reuse that token to force the XHTML attachment to be rendered inline. When the victim views the issue, the XHTML file loads a separate JavaScript attachment, leading to arbitrary code execution in the victim’s browser.

DailyCVE form:

Platform: `MantisBT bug tracker`
Version: `up to 2.28.1`
Vulnerability: `Stored XSS in file download`
Severity: `High`
date: `May 11, 2026`

Prediction: `Patch already applied (2.28.2)`

What Undercode Say: Analytics

The following bash commands can be used to detect vulnerable MantisBT instances and monitor for exploitation attempts.

Check MantisBT version in config_inc.php
grep "MantisBT" /var/www/html/mantisbt/config_inc.php
Scan logs for suspicious file_download.php requests
grep "file_download.php.show_inline=1" /var/log/apache2/access.log
Search for XHTML attachments in bug notes
mysql -u mantis_user -p mantis_db -e "SELECT id, filename FROM mantis_bug_file_table WHERE filename LIKE '%.xhtml' OR filename LIKE '%.xml';"
Monitor for token reuse anomalies
awk '/file_show_inline_token/ {print $1, $4, $7}' /var/log/mantisbt/security.log | sort | uniq -c
Example Python snippet to test for missing text/xml blocklist
import requests
from base64 import b64encode
payload = '''<?xml version="1.0" encoding="UTF-8"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<script src="exploit.js"></script>
</body>
</html>
'''
encoded = b64encode(payload.encode()).decode()
files = {'files': [{'name': 'poc.xhtml', 'content': encoded}]}
r = requests.post('https://target/api/rest/issues/1/files', json=files)
print(r.status_code, r.text)

Exploit

To exploit CVE-2026-44657, an attacker with at least “Reporter” permissions must follow this multi-step chain:
1. Upload an image, audio, or video file to generate a valid `file_show_inline_token` CSRF token.
2. Upload a JavaScript file (e.g., exploit.js) that will later be loaded to execute arbitrary code.
3. Upload a crafted XHTML file (e.g., exploit.xhtml) containing a reference to the JavaScript file.
4. Obtain the CSRF token by inspecting the image file’s page source (e.g., via browser devtools or automated script).
5. Request the XHTML file with `show_inline=1` and the stolen token:
https://target/file_download.php?file_id=ATK_XHTML_ID&type=bug&show_inline=1&file_show_inline_token=STOLEN_TOKEN`
6. Trick a privileged user (admin or higher) into viewing the manipulated issue page. The XHTML renders inline, loads the JavaScript attachment, and executes the attacker's code in the victim's session.
<h2 style="color: blue;">Protection from this CVE</h2>
- Upgrade to MantisBT 2.28.2 immediately. The fix restricts MIME types for inline rendering: all text types are forced to
text/plain, unsafe types are blocked, and remaining files are served asapplication/octet-stream.
- If immediate upgrade is impossible, apply the patch from commit `26647b2` manually.
- Harden CSP policies to prevent execution of inline scripts and restrict script-src to trusted domains.
- Monitor for abnormal attachments (
.xhtml,.xml,.js`) in issue reports.
– Invalidate CSRF tokens after single use to break the token reuse attack chain.

Impact

  • Scope: MantisBT versions up to and including 2.28.1.
  • Privilege Requirement: Authenticated user with at least “Reporter” access.
  • User Interaction: Required – victim must view the infected issue page.
  • CSP Bypass: The XHTML file loads an external JavaScript attachment, bypassing restrictive CSP rules that block inline executions.
  • Consequences: Full account compromise of any user viewing the issue, including administrators. The attacker can perform any action in the context of the victim, such as changing passwords, creating privileged accounts, or exfiltrating sensitive bug data.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top