VYPR
Get started
← All advisories
High severity7.6GHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT has a Content Security Policy bypass via attachments

CVE-2026-40597

Description

Given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's _script-src_ directive by uploading a crafted attachment to any issue that, when accessed via the _file_download.php_ link, will be downloaded with a valid JavaScript MIME type resulting in script execution.

The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to _nosniff_, which requires all imported JavaScript files to be a valid JavaScript MIME type.

Impact

Cross-site scripting

### Patches - 9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe

Workarounds

None

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Affected products

1

Patches

1
9e3bee2e7b90

Merge branch 'sec-37016-csp-bypass' into release/2.28.2

https://github.com/mantisbt/mantisbtDamien RegadMay 9, 2026via ghsa
commit
1 file changed · +21 2
  • file_download.php+21 2 modified
    @@ -196,6 +196,7 @@
 );
 $t_mime_force_attachment = array(
 	'application/x-shockwave-flash',
+	'application/javascript',
 	'image/svg+xml', # SVG could contain CSS or scripting, see #30384
 	'text/html',
 );
@@ -206,10 +207,28 @@
 
 if( in_array( $t_mime_type, $t_mime_force_inline ) ) {
 	$t_show_inline = true;
-} else if( in_array( $t_mime_type, $t_mime_force_attachment ) ) {
-	$t_show_inline = false;
+
+	# For attachments allowed inline, use the file's actual MIME type as-is
+} else {
+	if( in_array( $t_mime_type, $t_mime_force_attachment ) ) {
+		$t_show_inline = false;
+	}
+
+	# Set Content-Type based on MIME type
+	[$t_type] = explode( '/', $t_mime_type );
+	if( $t_type == 'text' ) {
+		# Ensures we don't interpret HTML, JavaScript, etc.
+		$t_content_type = 'text/plain';
+	} elseif( in_array( $t_type, ['audio', 'video'] ) ) {
+		# No special treatment needed for audio & video
+	} else {
+		# Everything else
+		$t_content_type = 'application/octet-stream';
+	}
 }
 
+form_security_purge( 'file_show_inline' );
+
 http_content_disposition_header( $t_filename, $t_show_inline );
 
 header( 'Content-Type: ' . $t_content_type );

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.