CVE-2026-39960

Description

Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. ### Impact Session theft leading to admin account takeover, full project data access. - Precondition: A textarea-type custom field must be configured for the project - Attacker: Authenticated user with bug report permission (low privilege) - Victim: Any user viewing the bug edit form, including administrators ### Patches - 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 ### Workarounds The default Content-Security Policy will block script execution. ### References - https://mantisbt.org/bugs/view.php?id=37003 - This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq). ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security

How to fix CVE-2026-39960

To remediate CVE-2026-39960, upgrade the affected package to a fixed version below.

• —upgrade to 2.28.2 or later

Is CVE-2026-39960 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.28.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-39960
• PATCHgithub.com/mantisbt/mantisbt
• WEBgithub.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
• WEBgithub.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx