MantisBT (Mantis Bug Tracker), Content Security Policy Bypass via Attachments, CVE-2026-40597 (High)

Listen to this Post

This vulnerability allows an attacker to bypass the Content Security Policy’s `script-src` directive through a crafted attachment. The attack chain leverages a pre-existing XSS or HTML injection flaw within the application. The attacker uploads a malicious file, which is detected as a valid JavaScript MIME type by PHP’s `finfo` through the `file_create_finfo()` API function. When accessed via file_download.php, the browser receives the file with a MIME type like `text/javascript` or application/javascript. Crucially, the server’s `X-Content-Type-Options: nosniff` header, designed to prevent MIME sniffing, actually enforces strict MIME type checking for scripts. Therefore, the uploaded payload must be correctly identified as a JavaScript MIME type by the server-side detection to execute. `file_create_finfo()` uses `finfo_buffer()` or `finfo_file()` to sniff the content type. The attacker crafts the file to pass this detection, often using a polyglot file (e.g., an image with a JavaScript payload). Once the file is attached to an issue, the attacker triggers the existing XSS to inject a `

Scroll to Top