MantisBT 2.11-2.28.1 XSS on font-family field (fixed 2.28.2)
CVE-2026-40596 Published on May 22, 2026
MantisBT is vulnerable to XSS and potential account takeover via user font family preference update
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-40596 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-40596
Want to know whenever a new CVE is published for MantisBT? stack.watch will email you.
Affected Versions
mantisbt Version >= 2.11.0, < 2.28.2 is affected by CVE-2026-40596Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.