CVE-2026-40598 Overview
CVE-2026-40598 is an HTML injection vulnerability in Mantis Bug Tracker (MantisBT), an open source issue tracking platform. The flaw affects versions 2.28.1 and below, where the application improperly escapes the redirection page value retrieved from the HTTP Referer header. An attacker can inject HTML into the rendered page through this unsanitized input. Modern browsers typically URL-encode special characters in the Referer header, limiting direct exploitation. However, on specific server configurations, the injected content can poison intermediary caches and lead to stored cross-site scripting (XSS). The issue is tracked under [CWE-79] and has been resolved in version 2.28.2.
Critical Impact
Successful exploitation can result in cache-poisoned cross-site scripting against MantisBT users, enabling session theft or unauthorized actions within the issue tracker.
Affected Products
- Mantis Bug Tracker (MantisBT) versions 2.28.1 and earlier
- MantisBT deployments behind caching proxies or CDNs are at elevated risk
- Fixed in MantisBT version 2.28.2
Discovery Timeline
- 2026-05-22 - CVE-2026-40598 published to NVD
- 2026-05-23 - Last updated in NVD database
Technical Details for CVE-2026-40598
Vulnerability Analysis
The vulnerability resides in tag_update_page.php, where MantisBT writes the redirect target into a hidden form field without HTML-encoding the value. The redirect value is derived from the HTTP Referer header sent by the client. Because the value is rendered directly inside an HTML attribute, an attacker who controls or influences the Referer value can break out of the attribute context and inject markup. While browsers commonly URL-encode characters in Referer, some proxies, CDNs, and reverse proxy configurations preserve raw characters or normalize requests in ways that allow injection to survive. When cached, the poisoned response is served to subsequent users, converting a reflected condition into a stored cross-site scripting (XSS) issue.
Root Cause
The root cause is missing output encoding. The application echoed $t_redirect_page into an HTML attribute without invoking string_html_specialchars(). Any special characters in the value were rendered verbatim, enabling attribute-context injection.
Attack Vector
An attacker crafts a request that causes a victim or cache layer to populate the Referer with malicious markup, then triggers the tag update flow. If a shared cache stores the response, every downstream user receives the injected payload.
<table class="table table-bordered table-condensed table-striped">
<fieldset>
<input type="hidden" name="tag_id" value="<?php echo $f_tag_id ?>"/>
- <input type="hidden" name="redirect" value="<?php echo $t_redirect_page ?>"/>
+ <input type="hidden" name="redirect" value="<?php echo string_html_specialchars( $t_redirect_page ) ?>"/>
<?php echo form_security_field( 'tag_update' ) ?>
Source: MantisBT Security Patch Commit b1ebc57. The patch wraps the redirect value in string_html_specialchars() before output, neutralizing HTML metacharacters.
Detection Methods for CVE-2026-40598
Indicators of Compromise
- HTTP requests to tag_update_page.php containing Referer headers with raw <, >, or " characters
- Cached responses from MantisBT containing unexpected <script> tags or event handlers in the redirect hidden field
- Outbound requests from user browsers to unfamiliar domains after visiting MantisBT tag pages
Detection Strategies
- Inspect web server and proxy access logs for malformed or HTML-bearing Referer headers targeting /tag_update_page.php
- Run authenticated scanners against MantisBT to confirm the running version matches 2.28.2 or later
- Review CDN and reverse proxy cache entries for MantisBT responses containing script payloads in hidden form fields
Monitoring Recommendations
- Alert on anomalous spikes in requests to MantisBT tag management endpoints from a single source
- Monitor for browser-side Content Security Policy (CSP) violation reports originating from MantisBT pages
- Audit cache hit ratios and purge logs for the MantisBT hostname to detect cache poisoning attempts
How to Mitigate CVE-2026-40598
Immediate Actions Required
- Upgrade MantisBT to version 2.28.2 or later without delay
- Purge any caches and CDN edge nodes serving MantisBT responses to remove poisoned entries
- Review server logs for prior exploitation attempts targeting tag_update_page.php
Patch Information
The fix is delivered in MantisBT 2.28.2 and applied via commit b1ebc57763f104eb5f541b7b4d1ce6948168abd9. See the GitHub Security Advisory GHSA-6jh4-47v2-4g37 and MantisBT Bug Report #37017 for full details. The patch routes the redirect value through string_html_specialchars() before rendering it in the HTML attribute.
Workarounds
- Configure the reverse proxy or web application firewall (WAF) to strip or sanitize Referer headers containing HTML metacharacters before they reach MantisBT
- Disable response caching for authenticated MantisBT endpoints until the upgrade is applied
- Enforce a strict Content Security Policy (CSP) that blocks inline scripts on MantisBT pages
# Example NGINX rule to drop suspicious Referer headers
map $http_referer $bad_referer {
default 0;
"~*[<>\"']" 1;
}
server {
location /tag_update_page.php {
if ($bad_referer) {
return 400;
}
proxy_pass http://mantisbt_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
