MantisBT: Reflected XSS in admin/install.php via unescaped printf
Critical severity
GitHub Reviewed
Published
Jul 15, 2026
in
mantisbt/mantisbt
•
Updated Jul 15, 2026
Description
Published to the GitHub Advisory Database
Jul 15, 2026
Reviewed
Jul 15, 2026
Last updated
Jul 15, 2026
MantisBT 2.28.3 and earlier contains six reflected XSS injection points in
/admin/install.php. User-supplied parameters are echoed into HTML without escaping via an unescaped printf format string. No authentication is required.A Content Security Policy (script-src 'self') prevents inline JavaScript execution, but the CSP is missing a form-action directive, allowing exploitation via credential-phishing form injection and open redirects.
Impact
Patches
Workarounds
Remove the
/admindirectory, as recommended in the Admin GuideResources
Credits
McCaulay Hudson (@_McCaulay) of watchTowr
References