Cross-Site Scripting Vulnerability in Mantis Bug Tracker Affecting Multiple Versions
CVE-2026-40596

7.2HIGH

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
22 May 2026

What is CVE-2026-40596?

Mantis Bug Tracker versions 2.11.0 to 2.28.1 are vulnerable to Cross-Site Scripting (XSS) due to a flaw that allows authenticated users to inject arbitrary HTML via the font family update feature. This vulnerability permits attackers to execute scripts on all pages of MantisBT, potentially leading to account compromise if combined with other existing vulnerabilities such as a Content Security Policy (CSP) bypass. The issue has been addressed in version 2.28.2 of Mantis Bug Tracker.

Affected Version(s)

mantisbt >= 2.11.0, < 2.28.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_MISC
https://github.com/mantisbt/mantisbt/commit/9e8409cdd979e...
x_refsource_MISC

CVSS V4

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.