GHSA-qj6w-v29q-4rgx

Source

https://github.com/advisories/GHSA-qj6w-v29q-4rgx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qj6w-v29q-4rgx/GHSA-qj6w-v29q-4rgx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qj6w-v29q-4rgx

Aliases

CVE-2026-39960

Published

2026-05-11T19:34:32Z

Modified

2026-05-11T19:49:49.879241Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values

Details

Improper escaping of a textarea custom field's contents in the Update Issue page (bugupdatepage.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded.

Impact

Session theft leading to admin account takeover, full project data access.

Precondition: A textarea-type custom field must be configured for the project
Attacker: Authenticated user with bug report permission (low privilege)
Victim: Any user viewing the bug edit form, including administrators

Patches

5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7

Workarounds

The default Content-Security Policy will block script execution.

References

https://mantisbt.org/bugs/view.php?id=37003
This is related to CVE-2024-34081.

Credits

Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T19:34:32Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

Packagist / mantisbt/mantisbt

Package

Name: mantisbt/mantisbt
Purl: pkg:composer/mantisbt/mantisbt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.28.2

Affected versions

2.*

2.3.0

2.3.1

2.3.2

2.3.3

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.13.2

2.14.0

2.15.0

2.15.1

2.16.0

2.16.1

2.17.0

2.17.1

2.17.2

2.18.0

2.18.1

2.19.0

2.19.1

2.20.0

2.20.1

2.21.0

2.21.1

2.21.2

2.21.3

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.24.0

2.24.1

2.24.2

2.24.3

2.24.4

2.24.5

2.25.0

2.25.1

2.25.2

2.25.3

2.25.4

2.25.5

2.25.6

2.25.7

2.25.8

2.26.0

2.26.1

2.26.2

2.26.3

2.26.4

2.27.0

2.27.1

2.27.2

2.27.3

2.28.0

2.28.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qj6w-v29q-4rgx/GHSA-qj6w-v29q-4rgx.json"

last_known_affected_version_range

"<= 2.28.1"