CVE-2026-62944: MantisBT Stored XSS via Attachment Filename in HTML Export
Any authenticated MantisBT user can permanently inject JavaScript into the HTML export page by uploading an image attachment with a specially crafted filename that breaks out of an HTML attribute.
The problem
In MantisBT 2.28.3 and earlier, the HTML export page (print_all_bug_page_word.php) renders image attachments as IMG tags and places the attachment filename directly into the alt attribute with no HTML encoding.
Because the filename is unsanitized, an attacker can craft a filename that closes the alt attribute and injects arbitrary HTML event handlers. Any user who views the HTML export of an issue containing that attachment will trigger the payload. The attack requires only a standard authenticated account with file upload permission.
Proof of concept
A working proof-of-concept for CVE-2026-62944 in mantisbt/mantisbt, with the exact payload below.
probe." onload="alert(document.cookie)"The vulnerable code in print_all_bug_page_word.php echoed the attachment filename raw into the alt attribute, producing output such as: <img src="..." alt="probe." onload="alert(document.cookie)" />
The double-quote in the filename terminates the alt value, and the injected onload attribute is parsed and executed by the browser. This is CWE-79 (Improper Neutralization of Input During Web Page Generation).
The patch commit bdd0e364 wraps the filename with MantisBT's string_attribute() function before output, which calls htmlspecialchars() with ENT_QUOTES, encoding the double-quote as " and neutralizing the breakout. Other fields in the same file already used string_display_line() for display contexts; the IMG alt context required the attribute-specific encoder and it was simply missing.
The fix
Upgrade to MantisBT 2.28.4. The fix is in commit bdd0e364f62759de272dfd4c89b4f51d27be9daa, which wraps the attachment filename in string_attribute() before it is written into the IMG alt attribute in print_all_bug_page_word.php. There is no workaround; upgrade is required.
Reported by Dracosec Research Limited (Chris Chan, Krecendo Hui, William Lam).
Related research
- criticalCVE-2026-52881CVE-2026-52881: MantisBT Reflected XSS in admin/install.php
- criticalCVE-2026-52847CVE-2026-52847: MantisBT Reflected XSS in admin/install.php
- highCVE-2026-49273CVE-2026-49273: MantisBT Remote Code Execution via eval() Class Hoisting in adm_config_set.php
- highCVE-2026-47142CVE-2026-47142: MantisBT SQL Injection via history_order Configuration Value