Stored XSS Vulnerability in Mantis Bug Tracker Affects Multiple Versions
CVE-2026-40607

7.5HIGH

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
22 May 2026

What is CVE-2026-40607?

Mantis Bug Tracker, an open-source issue tracking system, is susceptible to a Stored XSS vulnerability due to insufficient escaping of saved filter owners. This risk manifests when the configuration allows users' real names to be displayed, enabling potential attackers to inject arbitrary HTML and execute harmful scripts. The issue affects versions 2.11.0 through 2.28.1. A patch has been made available in version 2.28.2, but until then, users are advised to disable the display of real names and restrict filter saving permissions to mitigate risks.

Affected Version(s)

mantisbt >= 2.1.0, < 2.28.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd...
x_refsource_MISC
https://mantisbt.org/bugs/view.php?id=37015
x_refsource_MISC

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.