CVE-2026-39960 Overview
CVE-2026-39960 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in Mantis Bug Tracker (MantisBT), an open source issue tracking system. Versions 2.28.1 and earlier improperly escape textarea custom field contents on the Update Issue page (bug_update_page.php). An authenticated user with bug report permission can inject HTML and, if the Content-Security Policy (CSP) allows it, execute arbitrary JavaScript when other users load the bug edit form. Successful exploitation enables session theft, leading to administrator account takeover and full project data access. The issue is fixed in MantisBT version 2.28.2.
Critical Impact
A low-privileged authenticated attacker can hijack administrator sessions and access all project data by injecting malicious script into a textarea custom field rendered on the issue update page.
Affected Products
- Mantis Bug Tracker (MantisBT) versions 2.28.1 and below
- Deployments where a textarea-type custom field is configured for a project
- Instances running with non-default Content-Security Policy that permits script execution
Discovery Timeline
- 2026-05-20 - CVE-2026-39960 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-39960
Vulnerability Analysis
The flaw resides in the rendering logic for textarea-type custom fields on the Update Issue page (bug_update_page.php). MantisBT fails to properly escape user-supplied content stored in these fields before rendering it back into HTML. As a result, an attacker can submit a value containing HTML or JavaScript payloads that the application reflects without sanitization.
The vulnerability is classified as Cross-Site Scripting [CWE-79]. The attack requires authentication and user interaction, since the malicious payload triggers only when another user opens the bug edit form. The scope is changed because injected script executes in the browser context of any user viewing the affected issue, including administrators.
Impact includes session cookie theft, forced actions in the victim's session, and ultimately administrator account takeover. Once an administrator session is compromised, the attacker gains full project data access.
Root Cause
The root cause is improper output encoding of textarea custom field values. MantisBT's logic in bug_update_page.php renders stored field contents without applying the HTML-escaping routines used elsewhere in the application. This breaks the assumption that user-supplied custom field data is rendered as text rather than markup.
Attack Vector
An attacker with low-privileged bug report permission creates or edits an issue containing a malicious payload in a textarea custom field. When any user, including an administrator, opens the issue update page, the browser parses and executes the injected HTML or JavaScript. The attack vector is network-based and requires user interaction.
No verified exploit code is publicly available. For technical specifics, refer to the GitHub Security Advisory GHSA-qj6w-v29q-4rgx and the GitHub Commit Update implementing the fix.
Detection Methods for CVE-2026-39960
Indicators of Compromise
- Textarea custom field values containing HTML tags such as <script>, <img onerror=...>, or <svg onload=...>.
- Unexpected outbound HTTP requests from administrator browsers shortly after viewing an issue update page.
- Session reuse from unfamiliar IP addresses immediately following access to a bug containing untrusted custom field data.
Detection Strategies
- Audit MantisBT database tables storing custom field values for entries containing HTML markup or JavaScript event handlers.
- Review web server access logs for bug_update_page.php requests followed by anomalous administrative actions in the same session.
- Inspect Content-Security-Policy response headers to confirm whether the deployment runs the default restrictive CSP.
Monitoring Recommendations
- Monitor browser-side errors or CSP violation reports from MantisBT users to surface attempted script execution.
- Alert on creation or modification of custom field definitions of type textarea in projects that did not previously use them.
- Track administrator session activity for actions originating from clients that recently loaded issues authored by low-privileged users.
How to Mitigate CVE-2026-39960
Immediate Actions Required
- Upgrade MantisBT to version 2.28.2, which contains the official fix for CVE-2026-39960.
- Verify that the default Content-Security Policy is enforced and not weakened by custom headers or reverse proxy configuration.
- Review existing textarea custom field values for stored payloads and sanitize or remove entries containing HTML or script content.
Patch Information
The vulnerability is fixed in MantisBT 2.28.2. The corrective change is documented in the GitHub Commit Update and explained in the GitHub Security Advisory GHSA-qj6w-v29q-4rgx. Administrators should apply the upgrade promptly, particularly on internet-exposed instances or those used by multiple project teams.
Workarounds
- Retain the default Content-Security Policy shipped with MantisBT, which blocks inline and arbitrary script execution.
- Temporarily remove or disable textarea-type custom fields in projects where untrusted users can submit bug reports.
- Restrict bug report permissions to vetted accounts until the patch can be applied.
# Configuration example: confirm default CSP is active in config_inc.php
# (Do not override $g_content_security_policy_directive with a permissive value)
grep -n "content_security_policy" /path/to/mantisbt/config/config_inc.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
