{"id":"GHSA-j7v9-f46r-2rp4","summary":"MantisBT is Vulnerable to Reflected XSS in Rendering Dynamic Custom Textarea Field","details":"Lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field.\n\n### Impact\nCross-site scripting (XSS)\n\n### Patches\n- c885af13f0b8596714ffe11df757c09f35fbd8f4\n\n### Workarounds\nNone\n\n### Credits\n\nThanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.","aliases":["CVE-2026-41897"],"modified":"2026-05-11T19:49:16.680567Z","published":"2026-05-11T19:39:22Z","database_specific":{"github_reviewed_at":"2026-05-11T19:39:22Z","cwe_ids":["CWE-79"],"github_reviewed":true,"severity":"MODERATE","nvd_published_at":null},"references":[{"type":"WEB","url":"https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4"},{"type":"WEB","url":"https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4"},{"type":"PACKAGE","url":"https://github.com/mantisbt/mantisbt"},{"type":"WEB","url":"https://mantisbt.org/bugs/view.php?id=37013"}],"affected":[{"package":{"name":"mantisbt/mantisbt","ecosystem":"Packagist","purl":"pkg:composer/mantisbt/mantisbt"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.0.0"},{"fixed":"2.28.2"}]}],"versions":["2.10.0","2.10.1","2.11.0","2.11.1","2.12.0","2.12.1","2.12.2","2.13.0","2.13.1","2.13.2","2.14.0","2.15.0","2.15.1","2.16.0","2.16.1","2.17.0","2.17.1","2.17.2","2.18.0","2.18.1","2.19.0","2.19.1","2.20.0","2.20.1","2.21.0","2.21.1","2.21.2","2.21.3","2.22.0","2.22.1","2.22.2","2.23.0","2.23.1","2.24.0","2.24.1","2.24.2","2.24.3","2.24.4","2.24.5","2.25.0","2.25.1","2.25.2","2.25.3","2.25.4","2.25.5","2.25.6","2.25.7","2.25.8","2.26.0","2.26.1","2.26.2","2.26.3","2.26.4","2.27.0","2.27.1","2.27.2","2.27.3","2.28.0","2.28.1","2.3.0","2.3.1","2.3.2","2.3.3","2.4.0","2.4.1","2.4.2","2.5.0","2.5.1","2.5.2","2.6.0","2.7.0","2.7.1","2.8.0","2.8.1","2.9.0","2.9.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-j7v9-f46r-2rp4/GHSA-j7v9-f46r-2rp4.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}