HomeCVE Intelligence › CVE-2026-40607
CVSS 7.5 HIGH Vulnerability

CVE-2026-40607: MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column

Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Impact Cross-site scripting (XSS). Note that By default, only users with *Manageracce…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-40607
Vendorcomposer
Affected Productmantisbt/mantisbt
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON.

Impact

Cross-site scripting (XSS). Note that By default, only users with *Manager* access level or above can save their filters publicly

Patches

• 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010

Workarounds

• Prevent display of users' real name (set $g_ show_user_realname = OFF; in configuration)
• Restrict ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

🎯 Known Indicators of Compromise

{"type":"sha1","value":"44f490bcf20fd491c1b8f3fc9dd041d8c2a30010","confidence_score":0.9,"first_seen":"2026-05-11","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-40607 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence