CVE-2026-39960
Stored XSS in MantisBT via Textarea Custom Field
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantis_bug_tracker | to 2.28.2 (exc) |
| mantisbt | mantis_bug_tracker | 2.28.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Mantis Bug Tracker (MantisBT) versions 2.28.1 and below have a vulnerability due to flawed logic that causes improper escaping of a textarea custom field's contents on the Update Issue page (bug_update_page.php). This flaw allows an attacker to inject HTML and, if Content-Security Policy (CSP) settings permit, execute arbitrary JavaScript when the page is loaded.
To exploit this vulnerability, a textarea-type custom field must be configured for the project, and the attacker must be an authenticated user with bug report permission, which is a low privilege level.
The injected script can lead to session theft, enabling the attacker to take over admin accounts and gain full access to project data.
How can this vulnerability impact me? :
This vulnerability can lead to session theft and administrative account takeover, which means an attacker can gain full access to project data.
Since the attacker only needs low privilege bug report permission to exploit the issue, it poses a significant risk to the confidentiality and integrity of the data managed by MantisBT.
Any user viewing the bug edit form, including administrators, can be affected by the injected malicious code.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Mantis Bug Tracker to version 2.28.2 or later where the issue is fixed.
If upgrading is not possible right away, use the default Content-Security Policy (CSP) settings to block script execution, which works as a workaround to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Mantis Bug Tracker allows an attacker to inject HTML and potentially execute arbitrary JavaScript, leading to session theft and admin account takeover. This can result in unauthorized access to full project data.
Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.
However, the provided information does not explicitly mention the impact on compliance with these standards.