CVE-2026-40596
HighSummary
Mantis Bug Tracker (MantisBT) versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. As a result, an XSS payload could be reflected on every MantisBT page.
Risk Assessment
Exploitation of this vulnerability could lead to account takeover, especially when combined with another vulnerability (CSP bypass).
Recommendation
It is recommended to upgrade to version 2.28.2, where the issue has been fixed.
Original NVD description (English source)
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2.

