Skip to main content

CVE-2026-40598

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 https://github.com/mantisbt/mantisbt GHSA-6jh4-47v2-4g37
Share

Lifecycle Timeline

1
CVE Published
May 11, 2026 - 19:35 nvd
MEDIUM

DescriptionCVE.org

Improper escaping of the redirection page (retrieved from the request's *Referer* header) allows an attacker to inject HTML.

While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting.

Impact

Cross-site scripting (XSS).

Patches

  • b1ebc57763f104eb5f541b7b4d1ce6948168abd9

Workarounds

None

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Analysis

Improper escaping of the redirection page (retrieved from the request's *Referer* header) allows an attacker to inject HTML.

While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting.

Impact

Cross-site scripting (XSS).

Patches

  • b1ebc57763f104eb5f541b7b4d1ce6948168abd9

Workarounds

None

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Share

CVE-2026-40598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy