CVE-2026-40607 HIGH

CVE-2026-40607: MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column

Vendor Mantisbt
Product mantisbt
Weakness CWE-79 · XSS
Published May 22, 2026
Last update May 26, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).

Key dates

02Disclosure timeline

May 22, 2026 CVE published
May 26, 2026 Record updated

Related vulnerabilities

04Related CVE