Listen to this Post
How CVE-2026-40607 Works
The vulnerability exists due to the incorrect escaping of a saved filter’s owner. When `$g_show_user_realname` is set to `ON` in the MantisBT configuration, the real name of the user who saved a filter is displayed. By manipulating the owner value, an attacker can inject arbitrary HTML into the saved filter’s owner column. This injected HTML is then executed in the context of the victim’s browser when they view the list of saved filters. Although by default only users with Manager access level or above can publicly save filters, an attacker with appropriate access can embed malicious XSS payloads. The flaw resides in the output logic that fails to properly escape the owner field before rendering, allowing the injection and execution of arbitrary HTML and JavaScript.
DailyCVE Form
Platform: MantisBT Version: <=2.28.1 Vulnerability : Stored XSS Severity: High date: 2026-05-09 Prediction: Already patched in 2.28.2
What Undercode Say
The following bash command can be used to check for the vulnerable configuration option ($g_show_user_realname) in a MantisBT installation. Additionally, a code snippet demonstrates the improper escaping that leads to the XSS.
Check for vulnerable configuration
grep -r "g_show_user_realname" /path/to/mantisbt/config_inc.php
Exploit sample (payload injection)
curl -X POST "http://target/mantisbt/manage_filter_edit.php" \
-d "filter_name=<script>alert('XSS')</script>&owner=<img src=x onerror=alert(1)>"
// Vulnerable code (conceptual) echo "" . $filter['realname'] . ""; // No escaping applied
Exploit
An authenticated attacker with the ability to save public filters can inject a malicious script into the owner field. The following payload triggers JavaScript execution when the saved filter list is viewed:
<script>alert('XSS')</script>
If `$g_show_user_realname` is enabled, the attacker’s payload is rendered without proper escaping, leading to execution in the victim’s browser.
Protection
- Upgrade MantisBT to version 2.28.2 or later, which includes a proper escaping fix.
- Disable real name display by setting `$g_show_user_realname = OFF` in the configuration.
- Restrict filter creation by setting `$g_stored_query_create_threshold` and `$g_stored_query_create_shared_threshold` to `NOBODY` to prevent any user from saving filters.
Impact
Successful exploitation allows an attacker to:
- Execute arbitrary JavaScript in the context of a logged‑in user.
- Steal session cookies, enabling account takeover.
- Deface the MantisBT interface.
- Perform actions on behalf of the victim, including modifying or deleting issues.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

