CVE-2026-40596
Published:May 14, 2026
Updated:May 14, 2026
Any authenticated user can inject arbitrary HTML via updating their account's font family. Impact Cross-site scripting. The injected payload will be reflected in every MantisBT page. Leveraging another vulnerability (CSP bypass, see "GHSA-9c3j-xm6v-j7j3" (https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3)), the attacker could achieve account takeover. Patches - 9e8409cdd979eba86ef532756fc47c1d8112d22d Workarounds None Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Affected Packages
https://github.com/mantisbt/mantisbt.git (GITHUB):
Affected version(s) >=release-1.0.0 <release-2.28.2Fix Suggestion:
Update to version release-2.28.2mantisbt/mantisbt (PHP):
Affected version(s) >=2.11.0 <2.28.2Fix Suggestion:
Update to version 2.28.2Related Resources (6)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
LOW
CVSS v3
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')