0036986: CVE-2026-34463: Stored HTML Injection/XSS in Clone Issue Form via Unescaped Project Name - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0036986	mantisbt	security	public	2026-03-18 04:30	2026-05-09 19:56

Reporter	ninjasec	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.28.1
Target Version	2.28.2	Fixed in Version	2.28.2

Summary	0036986: CVE-2026-34463: Stored HTML Injection/XSS in Clone Issue Form via Unescaped Project Name
Description	When cloning an issue from a different current project context, the clone/report form prepends the source project name before the category selector. That project name is inserted without output encoding, so attacker-controlled markup in the source project name is rendered in the clone form. Affected Code bug_report_page.php:279 Prerequisites Attacker can control the source project name User can view the source issue User is currently in a different project context before opening the clone form
Steps To Reproduce	Steps to Reproduce Rename the source project to a harmless HTML payload, for example: <span id="clone-project-html">owned</span> Switch the current project to a different project. Open the clone form for an issue in the source project. Request GET /bug_report_page.php?m_id=1 HTTP/1.1 Response HTTP/1.1 200 OK The response rendered the source project label as HTML before the category selector. Observed fragment: [<span id="clone-project-html">owned</span>] <select id="category_id" ...
Tags	No tags attached.
Attached Files	image.png (286,287 bytes) image.png (286,287 bytes)

dregad 2026-03-28 12:38 developer ~0070910	XSS confirmed. Advisory: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2 CVE ID requested.

dregad 2026-03-28 13:10 developer ~0070911	PR https://github.com/mantisbt/mantisbt-ghsa-fvjf-68wh-rwp2/pull/1

dregad 2026-03-30 13:05 developer ~0070917	CVE-2026-34463 assigned.

dregad 2026-04-19 09:19 developer ~0071032	This issue was independently reported by another security researcher see 0037014.

MantisBT: master-2.28 df22697a 2026-03-28 12:46 dregad Details Diff	Escape Project name in bug_report_page.php Prevents XSS in Clone context (i.e. if m_id parameter is provided) when the current project is different from the master issue's. Fixes 0036986, GHSA-fvjf-68wh-rwp2		Affected Issues 0036986
	mod - bug_report_page.php		Diff File