CVE-2026-40596

high

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.

References

https://mantisbt.org/bugs/view.php?id=37016

https://mantisbt.org/bugs/view.php?id=37011

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3

https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d

Details

Source: Mitre, NVD

Published: 2026-05-22

Updated: 2026-05-22

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 7.2

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L

Severity: High

EPSS

EPSS: 0.0005