CVE Catalog

CVE-2026-40597

High
Published: Translated: NVD NIST

Summary

Mantis Bug Tracker (MantisBT) versions 2.28.1 and below have a vulnerability that allows an attacker to bypass the script-src directive in the Content Security Policy (CSP) by uploading a malicious attachment to any issue. When the file is downloaded via the file_download.php link, the malicious JavaScript code can be executed.

Risk Assessment

The organization may be exposed to the execution of malicious JavaScript code, potentially leading to data theft, session hijacking, or other attacks on the system.

Recommendation

It is recommended to upgrade MantisBT to version 2.28.2 or later to mitigate this vulnerability and to review the content security policy to strengthen protection against XSS attacks.

Original NVD description (English source)

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS