CVE-2026-40596

Name of the Vulnerable Software and Affected Versions MantisBT (affected versions not specified)

Description An authenticated user can inject arbitrary HTML by updating the font family of their account. This leads to cross-site scripting, where the injected payload is reflected on every page of the application. If combined with a Content Security Policy (CSP) bypass—a security layer that prevents the loading of malicious scripts—this could lead to account takeover.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.