CVE-2026-40607

Name of the Vulnerable Software and Affected Versions MantisBT (affected versions not specified)

Description Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where the $g show user realname variable is set to ON, leading to Cross-site scripting (XSS). By default, only users with Manager access level or above can save filters publicly.

Recommendations Set $g show user realname = OFF in the configuration to prevent the display of users' real names. Restrict the ability to store filters by setting $g stored query create threshold and $g stored query create shared threshold to NOBODY.