CVE-2026-40607

Source
https://cve.org/CVERecord?id=CVE-2026-40607
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40607.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40607
Aliases
Published
2026-05-22T19:39:13.817Z
Modified
2026-07-08T08:13:12.913067827Z
Severity
  • 7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column
Details

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $gshowuserrealname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g showuserrealname = OFF; in configuration), and restricting the ability to store filters (set $gstoredquerycreatethreshold / $gstoredquerycreateshared_threshold to NOBODY).

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40607.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mantisbt/mantisbt

Affected ranges

Type
GIT
Repo
https://github.com/mantisbt/mantisbt
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.28.2"
        }
    ]
}

Affected versions

release-2.*
release-2.1.0
release-2.10.0
release-2.11.0
release-2.12.0
release-2.13.0
release-2.14.0
release-2.15.0
release-2.16.0
release-2.17.0
release-2.18.0
release-2.19.0
release-2.2.0
release-2.20.0
release-2.21.0
release-2.22.0
release-2.23.0
release-2.24.0
release-2.25.0
release-2.26.0
release-2.27.0
release-2.28.0
release-2.28.1
release-2.3.0
release-2.4.0
release-2.5.0
release-2.6.0
release-2.7.0
release-2.8.0
release-2.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40607.json"