CVE-2026-40596 HIGH

CVE-2026-40596: MantisBT is vulnerable to XSS and potential account takeover via user font family preference update

Vendor Mantisbt

Product mantisbt

Weakness CWE-79 · XSS

Published May 22, 2026

Last update May 22, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L

What the vulnerability does

01Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.

Key dates

02Disclosure timeline

May 22, 2026 CVE published

May 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40596 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-40596: MantisBT is vulnerable to XSS and potential account takeover via user font family preference update

01Description

02Disclosure timeline

03References

04Related CVE