XSS in Mantisbt

CVE-2026-40597

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (21.7th percentile) — read the EPSS interpretation.

Affected products

Mantisbt — versions < 2.28.2

Weakness classification (CWE)

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)