CVE-2026-40607

Description

Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. ### Impact Cross-site scripting (XSS). Note that By default, only users with *Manager* access level or above can save their filters publicly ### Patches - 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010 ### Workarounds - Prevent display of users' real name (set `$g_ show_user_realname = OFF;` in configuration) - Restrict ability to store filters (set $`g_stored_query_create_threshold` / $`g_stored_query_create_shared_threshold` to `NOBODY` ### Credits Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

How to fix CVE-2026-40607

To remediate CVE-2026-40607, upgrade the affected package to a fixed version below.

• —upgrade to 2.28.2 or later

Is CVE-2026-40607 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.1.0, < 2.28.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40607
• PATCHgithub.com/mantisbt/mantisbt
• WEBgithub.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010
• WEBgithub.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh