XSS and HTML Injection Vulnerability in Mantis Bug Tracker by MantisBT
CVE-2026-40597

7.6HIGH

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
22 May 2026

What is CVE-2026-40597?

The Mantis Bug Tracker application, an open source issue tracker, is susceptible to an XSS and HTML injection vulnerability in versions 2.28.1 and earlier. An attacker could exploit any existing XSS vulnerability to bypass the Content Security Policy's script-src directive. This is achieved by uploading a maliciously crafted attachment to any issue. When the attachment is accessed via the file_download.php link, it may be downloaded with a valid JavaScript MIME type, leading to unauthorized script execution. The risk escalates as the uploaded payload is interpreted as JavaScript due to PHP's finfo function, which verifies MIME types. This vulnerability has been addressed in version 2.28.2.

Affected Version(s)

mantisbt < 2.28.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909...
x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=37016
x_refsource_MISC

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.