Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.
Published: 2026-05-22
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an authenticated user to inject arbitrary HTML into their own font‑family preference, which is then rendered on every page. The injected code is therefore stored and reflected, giving the attacker a stored XSS vector. If combined with the separate CSP bypass vulnerability disclosed as GHSA‑9c3j‑xm6v‑j7j3, the attacker could also hijack the victim’s account. As a result, the primary impact is the exposure of sensitive information and the potential loss of Credential and session data through account takeover.

Affected Systems

The vulnerability affects Mantis Bug Tracker installations spanning versions 2.11.0 through 2.28.1. The defect was incorporated into the source code delivered in 2.28.2, which contains the necessary fix. Users running any affected version are therefore at risk until they upgrade or apply a mitigation.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user capable of editing the font‑family setting, after which the stored payload is executed in the context of every visited page. The attack requires no special privileges beyond user authentication, enabling the attacker to achieve account compromise if a CSP bypass is active.

Generated by OpenCVE AI on May 22, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.2 or later to patch the font‑family XSS flaw.
  • Apply the CSP bypass fix GHSA‑9c3j‑xm6v‑j7j3 or upgrade to a release that includes that patch before or alongside the font‑family update to prevent potential account takeover.
  • If immediate upgrade is not possible, configure the font‑family preference input to allow only a whitelist of safe CSS family names or escape user‑supplied values to mitigate the XSS risk until a patch is applied.

Generated by OpenCVE AI on May 22, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j3v9-553h-x28j MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference
History

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Fri, 22 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.
Title MantisBT is vulnerable to XSS and potential account takeover via user font family preference update
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:L'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T20:10:16.176Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40596

cve-icon Vulnrichment

Updated: 2026-05-22T20:10:12.843Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T22:15:27Z

Weaknesses