CVE-2026-40607
HighSummary
Mantis Bug Tracker (MantisBT) versions 2.11.0 through 2.28.1 contain a Stored XSS vulnerability caused by incorrect escaping of a saved filter's owner. This allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname is set to ON.
Risk Assessment
This vulnerability may lead to user data exposure and allow attackers to hijack user sessions. Organizations should be aware of the risks associated with public filter sharing by users with Manager access level or higher.
Recommendation
It is recommended to upgrade to version 2.28.2, where the issue has been fixed. If an upgrade is not possible, disable the display of users' real names and restrict the ability to store filters.
Original NVD description (English source)
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).

