CVE-2026-40607
CWE-79Published: May 22, 2026· Updated: May 22, 2026
Official Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY).
Technical Analysis
CVE-2026-40607 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires high privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
From a weakness classification perspective (CWE-79): Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-79)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-40607 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts