MantisBT 2.28.1/earlier: XSS via Referer redirect (fixed in 2.28.2)
CVE-2026-40598 Published on May 22, 2026
MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request's Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-40598 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-40598
Want to know whenever a new CVE is published for MantisBT? stack.watch will email you.
Affected Versions
mantisbt Version < 2.28.2 is affected by CVE-2026-40598Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.