CVE-2026-40596
HIGHMantisBT is vulnerable to XSS and potential account takeover via user font family preference update
Title source: cnaDescription
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.
References (5)
Core 5
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j
X_Refsource_Misc x_refsource_misc
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
X_Refsource_Misc x_refsource_misc
https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d
X_Refsource_Misc x_refsource_misc
https://mantisbt.org/bugs/view.php?id=37011
X_Refsource_Misc x_refsource_misc
https://mantisbt.org/bugs/view.php?id=37016
Scores
CVSS v4
7.2
EPSS
0.0050
EPSS Percentile
38.7%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
mantisbt/mantisbt
2.11.0 - 2.28.2Packagist
mantisbt/mantisbt
>= 2.11.0, < 2.28.2
Published
May 22, 2026
Tracked Since
May 23, 2026