CVE-2026-39960 mantisbt CVE debrief

Who should care

MantisBT operators, especially administrators and project maintainers, should care if any project uses textarea-type custom fields and low-privilege users can create or update bug reports. Any user viewing the bug edit form may be exposed, including administrators.

Technical summary

The vulnerability is an XSS flaw (CWE-79) in the Update Issue page. The CVE and GitHub advisory describe improper escaping of textarea custom field contents in bug_update_page.php, which can result in HTML injection and, if CSP is permissive, JavaScript execution. Exploitation requires a configured textarea-type custom field and an authenticated attacker with bug report permission.

Defensive priority

Medium priority. The CVSS vector provided is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating reachable network attack conditions but requiring authentication and user interaction. Upgrade to the fixed release should be prioritized where MantisBT is exposed to regular users or administrators review bug edit forms.

Recommended defensive actions

• Upgrade MantisBT to version 2.28.2 or later.
• If upgrade is not immediate, keep the default Content-Security Policy enabled as described in the advisory.
• Review projects that use textarea-type custom fields in bug reporting or issue editing workflows.
• Limit bug report permissions to the minimum necessary set of authenticated users.
• Treat bug edit pages as sensitive and verify they do not render untrusted field content unsafely.

Evidence notes

This debrief is based only on the supplied CVE record and official GitHub references. The CVE record states the product, affected versions, impact, required conditions, and fixed version. The source metadata also lists CWE-79 and the CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. No KEV entry was provided.

Official resources