CVE-2026-39960— MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values
Possible ATT&CK Techniques 3AI
T1552 · Unsecured Credentials T1078 · Valid Accounts T1189 · Drive-by CompromiseGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39960
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MantisBT is Vulnerable to Stored XSS through Custom Field Textarea Values
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Mantis Bug Tracker 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Mantis Bug Tracker(MantisBT)是Mantis Bug Tracker开源的一个 bug 跟踪器。 Mantis Bug Tracker 2.28.1及之前版本存在跨站脚本漏洞,该漏洞源于更新问题页面中文本区域自定义字段内容转义不当,可能导致攻击者注入HTML并在页面加载时执行任意JavaScript,从而窃取会话导致管理员账户接管和项目数据完全访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-39960
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39960
请登录查看更多情报信息。
Advisory · 1Patch · 1
IV. Related Vulnerabilities
Same product: mantisbt
- CVE-2026-34970
MantisBT Bugnote Revision Page Leaks Private Issue Metadata - CVE-2026-34754
MantisBT allows unauthorized users to upload attachments to - CVE-2026-34744
MantisBT authorization bypass allows continued access to sel - CVE-2026-34579
MantisBT has an authorization bypass via private issue monit - CVE-2026-34463
MantisBT has Stored HTML Injection/XSS via Clone Issue Form
Same vendor: mantisbt
- CVE-2026-34970
MantisBT Bugnote Revision Page Leaks Private Issue Metadata - CVE-2026-34754
MantisBT allows unauthorized users to upload attachments to - CVE-2026-34744
MantisBT authorization bypass allows continued access to sel - CVE-2026-34579
MantisBT has an authorization bypass via private issue monit - CVE-2026-34463
MantisBT has Stored HTML Injection/XSS via Clone Issue Form
Same weakness: CWE-79
- CVE-2026-39970
TypeBot: Stored Cross-Site Scripting (XSS) via SVG File Uplo - CVE-2026-39964
TypeBot: Stored XSS via javascript: URI in text bubble links - CVE-2026-28445
Typebot: Stored XSS via Rating Block Custom Icon Bypasses is - CVE-2026-8353
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XS - CVE-2026-3481
WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via '
V. Comments for CVE-2026-39960
No comments yet