CVE-2026-40596 | THREATINT

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.

PUBLISHED Reserved 2026-04-14 | Published 2026-05-22 | Updated 2026-05-22 | Assigner GitHub_M

HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 2.11.0, < 2.28.2

affected

References

github.com/...ntisbt/security/advisories/GHSA-j3v9-553h-x28j

github.com/...ntisbt/security/advisories/GHSA-9c3j-xm6v-j7j3

github.com/...ommit/9e8409cdd979eba86ef532756fc47c1d8112d22d

mantisbt.org/bugs/view.php?id=37011

mantisbt.org/bugs/view.php?id=37016

cve.org (CVE-2026-40596)

nvd.nist.gov (CVE-2026-40596)

Download JSON