CVE-2026-40597

CVSS v4.0

7.6

High

Vector

AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions MantisBT (affected versions not specified)

Description An attacker can bypass the Content Security Policy (CSP) script-src directive by uploading a crafted attachment to an issue. When this attachment is accessed via the 'file download.php' endpoint, it is downloaded with a valid JavaScript MIME type, enabling script execution if a pre-existing XSS or HTML injection vulnerability exists. The payload must be recognized as a valid JavaScript MIME type by the PHP file create finfo() function. Because the X-Content-Type-Options header is set to nosniff, the browser will only import the file into a <script> tag if it possesses a valid JavaScript MIME type.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

XSS

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-358

Related Identifiers

CVE-2026-40597

GHSA-9C3J-XM6V-J7J3

Affected Products

Mantisbt/Mantisbt

CVE-2026-40597

Weakness Enumeration

Related Identifiers

Affected Products

References · 6