Improper Escaping Vulnerability in Mantis Bug Tracker by MantisBT
CVE-2026-39960

5.4MEDIUM

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-39960?

Mantis Bug Tracker versions 2.28.1 and earlier suffer from a vulnerability due to flawed logic in handling textarea custom field inputs on the Update Issue page. This flaw allows attackers to inject malicious HTML and, under certain Content Security Policy (CSP) configurations, execute arbitrary JavaScript when the affected page is viewed. An attacker, who must be an authenticated user with permission to report bugs, can exploit this vulnerability to steal user sessions, potentially leading to unauthorized access to administrative accounts and sensitive project data. Users are advised to upgrade to version 2.28.2 to mitigate this risk. As a temporary measure, implementing the default CSP can help block script execution, reducing the chance of exploitation.

Affected Version(s)

mantisbt < 2.28.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...

x_refsource_CONFIRM

https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39960 Data

JSON

Mantisbt

What is CVE-2026-39960?

Affected Version(s)

References

CVSS V3.1

Timeline