Skip to main content

CVE-2026-40596

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 https://github.com/mantisbt/mantisbt GHSA-j3v9-553h-x28j
Share

Lifecycle Timeline

1
CVE Published
May 11, 2026 - 19:34 nvd
HIGH

DescriptionCVE.org

Any authenticated user can inject arbitrary HTML via updating their account's font family.

Impact

Cross-site scripting. The injected payload will be reflected in every MantisBT page.

Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover.

Patches

  • 9e8409cdd979eba86ef532756fc47c1d8112d22d

Workarounds

None

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Analysis

Any authenticated user can inject arbitrary HTML via updating their account's font family.

Impact

Cross-site scripting. The injected payload will be reflected in every MantisBT page.

Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover.

Patches

  • 9e8409cdd979eba86ef532756fc47c1d8112d22d

Workarounds

None

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Share

CVE-2026-40596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy