CVE-2026-40596
EPSS 0.06%MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference
Published: 5/11/2026Modified: 5/11/2026
Description
Any authenticated user can inject arbitrary HTML via updating their account's font family. ### Impact Cross-site scripting. The injected payload will be reflected in every MantisBT page. Leveraging another vulnerability (CSP bypass, see [GHSA-9c3j-xm6v-j7j3](https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3)), the attacker could achieve account takeover. ### Patches - 9e8409cdd979eba86ef532756fc47c1d8112d22d ### Workarounds None ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.
Affected packages (1)
- Packagist/mantisbt/mantisbt>= 2.11.0, < 2.28.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L |
References (6)
- PATCHhttps://github.com/mantisbt/mantisbt
- WEBhttps://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d
- WEBhttps://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
- WEBhttps://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j
- WEBhttps://mantisbt.org/bugs/view.php?id=37011
- WEBhttps://mantisbt.org/bugs/view.php?id=37016