CVE-2026-40597: MantisBT has a Content Security Policy bypass via attachments

May 11, 2026 (updated June 8, 2026)

Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy’s script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution.

The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-40597 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →