GHSA-f633-865q-2mhh

Source

https://github.com/advisories/GHSA-f633-865q-2mhh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f633-865q-2mhh/GHSA-f633-865q-2mhh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f633-865q-2mhh

Aliases

CVE-2026-40607

Published

2026-05-11T19:35:05Z

Modified

2026-05-11T19:48:59.563618Z

Severity

7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column

Details

Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $gshowuser_realname = ON.

Impact

Cross-site scripting (XSS).

Note that By default, only users with Manager access level or above can save their filters publicly

Patches

44f490bcf20fd491c1b8f3fc9dd041d8c2a30010

Workarounds

Prevent display of users' real name (set $g_ show_user_realname = OFF; in configuration)
Restrict ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:35:05Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.28.2

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.13.2

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.18.0

2.18.1

2.19.0

2.19.1

2.20.0

2.20.1

2.21.0

2.21.1

2.21.2

2.21.3

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.24.0

2.24.1

2.24.2

2.24.3

2.24.4

2.24.5

2.25.0

2.25.1

2.25.2

2.25.3

2.25.4

2.25.5

2.25.6

2.25.7

2.25.8

2.26.0

2.26.1

2.26.2

2.26.3

2.26.4

2.27.0

2.27.1

2.27.2

2.27.3

2.28.0

2.28.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-f633-865q-2mhh/GHSA-f633-865q-2mhh.json"

last_known_affected_version_range

"<= 2.28.1"