Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2.
Published: 2026-05-22
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MantisBT, an open‑source issue tracker, contains an XSS/HTML injection vulnerability that can be exploited to bypass the Content Security Policy's script‑src directive. An attacker can upload a crafted attachment to any issue; when the file_download.php script serves the attachment, PHP finfo treats it as a valid JavaScript MIME type. The browser, honoring X‑Content‑Type‑Options:nosniff, will embed the file in a <script> tag, allowing arbitrary JavaScript to execute in the victim’s user context. This bypass removes the effectiveness of the CSP and can lead to client‑side code execution and data theft.

Affected Systems

The vulnerability affects MantisBT version 2.28.1 and earlier. The issue was addressed in version 2.28.2. All installations running an affected version are at risk until a patch is applied.

Risk and Exploitability

With a CVSS score of 7.6, the flaw is considered high severity. Although an EPSS score is not available, the vulnerability can be leveraged by attackers who already have an XSS or HTML injection pathway into the application. By uploading a malicious attachment, they can then trick users into downloading a file that executes JavaScript. The attack does not require any special network-level access and can be performed from any external client with permission to create or modify issues. The flaw is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 22, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.2 or later to receive the vendor fix.
  • Investigate and remediate any existing XSS or HTML injection vulnerabilities that may serve as entry points for this bypass.
  • Restrict attachment uploads by excluding JavaScript MIME types or by configuring the server to treat uploaded files as non‑executable content.

Generated by OpenCVE AI on May 22, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9c3j-xm6v-j7j3 MantisBT has a Content Security Policy bypass via attachments
History

Fri, 22 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Fri, 22 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2.
Title MantisBT has a Content Security Policy bypass via attachments
Weaknesses CWE-358
CWE-79
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T19:29:46.728Z

Reserved: 2026-04-14T14:07:59.641Z

Link: CVE-2026-40597

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T21:30:16Z

Weaknesses