CVE-2026-39960

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker (MantisBT) versions prior to 2.28.2

Description Flawed logic in the Update Issue page 'bug update page.php' causes improper escaping of textarea custom field contents. This allows an authenticated user with low-privilege bug report permissions to inject HTML and potentially execute arbitrary JavaScript if Content-Security Policy (CSP) settings permit. Such execution can lead to session theft, administrative account takeover, and unauthorized access to full project data. Exploitation requires a textarea-type custom field to be configured for the project and affects any user viewing the bug edit form, including administrators.

Recommendations Update to version 2.28.2. Use the default Content-Security Policy to block script execution as a temporary workaround.