{"url":"http://public2.vulnerablecode.io/api/packages/60351?format=json","purl":"pkg:composer/mantisbt/mantisbt@2.25.3","type":"composer","namespace":"mantisbt","name":"mantisbt","version":"2.25.3","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.3.9","latest_non_vulnerable_version":"2.27.2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15524?format=json","vulnerability_id":"VCID-cfxr-2bs3-93eq","summary":"MantisBT vulnerable to XSS due to improper escape in manage_plugin_page.php and manage_plugin_uninstall.php\nAn XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if CSP allows it) in manage_plugin_page.php and manage_plugin_uninstall.php when a crafted plugin is installed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26144","reference_id":"","reference_type":"","scores":[{"value":"0.00522","scoring_system":"epss","scoring_elements":"0.67201","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-26144"},{"reference_url":"https://github.com/mantisbt/mantisbt","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/mantisbt/mantisbt"},{"reference_url":"https://github.com/mantisbt/mantisbt/commit/a7751c3e318011ca1314bc1cfea200d53e0dfff6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/mantisbt/mantisbt/commit/a7751c3e318011ca1314bc1cfea200d53e0dfff6"},{"reference_url":"https://mantisbt.org/bugs/view.php?id=29688","reference_id":"","reference_type":"","scores":[],"url":"https://mantisbt.org/bugs/view.php?id=29688"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26144","reference_id":"CVE-2022-26144","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-26144"},{"reference_url":"https://github.com/advisories/GHSA-rqgj-rqfr-5j6f","reference_id":"GHSA-rqgj-rqfr-5j6f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rqgj-rqfr-5j6f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60351?format=json","purl":"pkg:composer/mantisbt/mantisbt@2.25.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.3"}],"aliases":["CVE-2022-26144","GHSA-rqgj-rqfr-5j6f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cfxr-2bs3-93eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15527?format=json","vulnerability_id":"VCID-eewc-shba-ducc","summary":"MantisBT CSV Injection unprivileged user access in csv_export.php\nLack of Neutralization of Formula Elements in the CSV API of MantisBT before 2.25.3 allows an unprivileged attacker to execute code or gain access to information when a user opens the csv_export.php generated CSV file in Excel.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43257","reference_id":"","reference_type":"","scores":[{"value":"0.00724","scoring_system":"epss","scoring_elements":"0.72869","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43257"},{"reference_url":"https://github.com/mantisbt/mantisbt","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/mantisbt/mantisbt"},{"reference_url":"https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/mantisbt/mantisbt/commit/7f4534c723e3162b8784aebda4836324041dbc3e"},{"reference_url":"https://github.com/mantisbt/mantisbt/commit/99eb8d41cbacc703f88807898dcc9ac55eec0f15","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/mantisbt/mantisbt/commit/99eb8d41cbacc703f88807898dcc9ac55eec0f15"},{"reference_url":"https://www.mantisbt.org/bugs/view.php?id=29130","reference_id":"","reference_type":"","scores":[],"url":"https://www.mantisbt.org/bugs/view.php?id=29130"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43257","reference_id":"CVE-2021-43257","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43257"},{"reference_url":"https://github.com/advisories/GHSA-rg8f-5p7x-m6wv","reference_id":"GHSA-rg8f-5p7x-m6wv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rg8f-5p7x-m6wv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60351?format=json","purl":"pkg:composer/mantisbt/mantisbt@2.25.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.3"}],"aliases":["CVE-2021-43257","GHSA-rg8f-5p7x-m6wv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eewc-shba-ducc"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/mantisbt/mantisbt@2.25.3"}