Skip to content
Threat Feed
critical advisory

MantisBT Reflected XSS Vulnerabilities in admin/install.php (CVE-2026-52847)

MantisBT versions 2.28.3 and earlier are vulnerable to six reflected XSS injection points in the `/admin/install.php` script, which attackers can exploit without authentication to perform credential phishing, open redirects, and UI manipulation due to an incomplete Content Security Policy.

MantisBT versions 2.28.3 and earlier contain critical reflected Cross-Site Scripting (XSS) vulnerabilities, designated CVE-2026-52847, within the /admin/install.php script. There are six distinct injection points where user-supplied parameters are echoed directly into the HTML response without proper escaping via the print_test_result() function. This vulnerability requires no prior authentication, making it easily exploitable. While a Content Security Policy (CSP) with script-src 'self' prevents direct inline JavaScript execution, the absence of a form-action directive in the CSP allows attackers to bypass this protection. This CSP misconfiguration enables sophisticated exploitation techniques such as credential-phishing form injection and <meta>-based open redirects, posing a significant risk to administrators. The vulnerability can lead to credential theft, silent redirection to malicious sites, and deceptive UI manipulation for social engineering purposes.

Attack Chain

  1. Initial Reconnaissance: Attacker identifies a MantisBT instance with /admin/install.php accessible, potentially using OSINT or vulnerability scanning tools.
  2. Vulnerability Identification: Attacker confirms the presence of the reflected XSS vulnerability by sending crafted requests to /admin/install.php and observing unescaped input in the HTML response.
  3. Payload Crafting: Attacker crafts a malicious URL containing an XSS payload designed to either inject a fake login form or an HTML <meta> refresh tag for redirection.
  4. Social Engineering: Attacker sends the crafted malicious URL to a MantisBT administrator via email, instant message, or another communication vector (e.g., spearphishing).
  5. Victim Interaction: The administrator clicks on the malicious URL, loading the vulnerable /admin/install.php page in their browser.
  6. XSS Execution: The XSS payload in the URL executes, either rendering a fake login form that submits credentials to an attacker-controlled server or silently redirecting the user to a phishing or malware site.
  7. Credential Theft/Redirection: The administrator's credentials are harvested by the attacker or the user is redirected to a malicious destination, leading to further compromise.

Impact

Successful exploitation of CVE-2026-52847 can lead to severe consequences for organizations using affected MantisBT versions. The primary observed impacts include credential phishing, where an attacker can craft a URL that displays a convincing, but fake, login form on the legitimate MantisBT admin page, capturing administrator credentials when submitted. Additionally, the vulnerability can be used for open redirects, silently steering victims to attacker-controlled phishing or malware distribution sites. UI manipulation via CSS injection is also possible, allowing attackers to hide legitimate content and overlay malicious HTML elements for social engineering. While specific victim counts are not provided, any administrator interacting with a crafted URL is at risk, potentially leading to full compromise of the MantisBT instance and broader network access.

Recommendation

  • Patch CVE-2026-52847 immediately by upgrading MantisBT to a version patched by commits 0f32ceabadc745239754962df91a51d5d51e3fd7 or f2191a0d8ce438bf74171d496cf721dae025a5c0.
  • Implement the recommended workaround: Remove the /admin directory from MantisBT instances if not actively used, as suggested in the MantisBT Admin Guide.
  • Deploy the Sigma rule below to your SIEM to detect attempts to exploit the /admin/install.php path with XSS payloads.
  • Enable comprehensive web server logging for the webserver category, capturing full URI paths and query parameters, to ensure the detection rule can identify malicious requests to /admin/install.php.

Detection coverage 1

Detects CVE-2026-52847 Exploitation - MantisBT admin/install.php Reflected XSS

high

Detects exploitation attempts against MantisBT CVE-2026-52847, a reflected XSS in `/admin/install.php` by monitoring for common XSS payload indicators in the URI query parameters.

sigma tactics: execution, initial_access techniques: T1059.007, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →