CVE-2026-40596: MantisBT is Vulnerable to XSS leading to account takeover via updating a user's font family preference
(updated )
Any authenticated user can inject arbitrary HTML via updating their account’s font family.
References
- github.com/advisories/GHSA-j3v9-553h-x28j
- github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d
- github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3
- github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j
- mantisbt.org/bugs/view.php?id=37011
- mantisbt.org/bugs/view.php?id=37016
- nvd.nist.gov/vuln/detail/CVE-2026-40596
Code Behaviors & Features
Detect and mitigate CVE-2026-40596 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →