CVE-2026-40596
HIGHLifecycle Timeline
1DescriptionCVE.org
Any authenticated user can inject arbitrary HTML via updating their account's font family.
Impact
Cross-site scripting. The injected payload will be reflected in every MantisBT page.
Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover.
Patches
- 9e8409cdd979eba86ef532756fc47c1d8112d22d
Workarounds
None
Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Analysis
Any authenticated user can inject arbitrary HTML via updating their account's font family.
Impact
Cross-site scripting. The injected payload will be reflected in every MantisBT page.
Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover.
Patches
- 9e8409cdd979eba86ef532756fc47c1d8112d22d
Workarounds
None
Credits
Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j3v9-553h-x28j