Skip to main content

CVE-2026-40607

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 https://github.com/mantisbt/mantisbt GHSA-f633-865q-2mhh
Share

Lifecycle Timeline

1
CVE Published
May 11, 2026 - 19:35 nvd
HIGH

DescriptionCVE.org

Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON.

Impact

Cross-site scripting (XSS).

Note that By default, only users with *Manager* access level or above can save their filters publicly

Patches

  • 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010

Workarounds

  • Prevent display of users' real name (set $g_ show_user_realname = OFF; in configuration)
  • Restrict ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Analysis

Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON.

Impact

Cross-site scripting (XSS).

Note that By default, only users with *Manager* access level or above can save their filters publicly

Patches

  • 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010

Workarounds

  • Prevent display of users' real name (set $g_ show_user_realname = OFF; in configuration)
  • Restrict ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Share

CVE-2026-40607 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy