Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3p27-9b1r-nqbh
Vulnerability ID VCID-3p27-9b1r-nqbh
Aliases CVE-2026-39960
GHSA-qj6w-v29q-4rgx
Summary MantisBT is Vulnerable to Stored XSS in Custom Field Textarea Values Improper escaping of a textarea custom field's contents in the Update Issue page (bug_update_page.php) allows an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. ### Impact Session theft leading to admin account takeover, full project data access. - Precondition: A textarea-type custom field must be configured for the project - Attacker: Authenticated user with bug report permission (low privilege) - Victim: Any user viewing the bug edit form, including administrators ### Patches - 5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 ### Workarounds The default Content-Security Policy will block script execution. ### References - https://mantisbt.org/bugs/view.php?id=37003 - This is related to [CVE-2024-34081](https://github.com/advisories/GHSA-wgx7-jp56-65mq). ### Credits Thanks to the following security researchers for independently discovering and responsibly reporting the issue, and providing a patch to fix it. - Thanks to Nozomu Sasaki (Paul) (@morimori-dev) - Tristan Madani (@TristanInSec) from Talence Security
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-39960
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-39960
epss 0.00033 https://api.first.org/data/v1/epss?cve=CVE-2026-39960
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-qj6w-v29q-4rgx
cvssv3.1 5.4 https://github.com/mantisbt/mantisbt
generic_textual MODERATE https://github.com/mantisbt/mantisbt
cvssv3.1 5.4 https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
generic_textual MODERATE https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
ssvc Track https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
cvssv3.1 5.4 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
cvssv3.1_qr MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
generic_textual MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
ssvc Track https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
cvssv3.1 5.4 https://mantisbt.org/bugs/view.php?id=37003
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=37003
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-39960
https://github.com/mantisbt/mantisbt
https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
https://mantisbt.org/bugs/view.php?id=37003
GHSA-qj6w-v29q-4rgx https://github.com/advisories/GHSA-qj6w-v29q-4rgx
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mantisbt/mantisbt
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-21T13:29:35Z/ Found at https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-21T13:29:35Z/ Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://mantisbt.org/bugs/view.php?id=37003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.10257
EPSS Score 0.00033
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:00:37.765509+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qj6w-v29q-4rgx/GHSA-qj6w-v29q-4rgx.json 38.6.0