VYPR
← All advisories
Moderate severityGHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page

CVE-2026-40598

Description

Improper escaping of the redirection page (retrieved from the request's *Referer* header) allows an attacker to inject HTML.

While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting.

Impact

Cross-site scripting (XSS).

### Patches - b1ebc57763f104eb5f541b7b4d1ce6948168abd9

Workarounds

None

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MantisBT tag_update_page.php fails to escape the Referer header, enabling reflected HTML injection that can lead to cache-poisoned XSS under specific server configurations.

Vulnerability

In MantisBT's tag_update_page.php, the value of the redirect is taken directly from the HTTP Referer header without HTML entity encoding [2]. The vulnerable code at line 106 assigns $t_redirect_page from basename( $_SERVER["HTTP_REFERER"] ) and then outputs it unsanitized into a hidden input field: <input type="hidden" name="redirect" value="<?php echo $t_redirect_page ?>"/>` [2][4]. This improper escaping allows an attacker to inject arbitrary HTML into the page [1][3].

Exploitation

Exploitation

Modern browsers automatically URL-encode special characters in the Referer header, so a direct reflected XSS attack is not feasible under normal conditions [2]. However, if the server uses a caching layer such as Varnish Cache, or if the front-end and back-end are vulnerable to HTTP request smuggling, the injected payload can be stored in the cache [2][3]. A subsequent request from a victim would then receive the poisoned cached response, executing the attacker's script [2][3].

Impact

Successful exploitation leads to cross-site scripting (XSS) in the victim's browser [1][3]. An attacker could steal session cookies, perform actions on behalf of the authenticated user, or deface the application.

Mitigation

The issue is fixed in commit b1ebc57763f104eb5f541b7b4d1ce6948168abd9, which wraps the output with string_html_specialchars() [4]. No workarounds are available; users must apply the patch [1][3].

References
  1. GitHub - mantisbt/mantisbt: Mantis Bug Tracker (MantisBT)
  2. 0037017: CVE-2026-40598 : Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
  3. Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page
  4. Escape redirect page before display to prevent XSS · mantisbt/mantisbt@b1ebc57

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mantisbt/mantisbtPackagist
< 2.28.22.28.2

Affected products

1

Patches

1
b1ebc57763f1

Escape redirect page before display to prevent XSS

https://github.com/mantisbt/mantisbtDamien RegadApr 12, 2026via ghsa
commit
1 file changed · +1 1
  • tag_update_page.php+1 1 modified
    @@ -103,7 +103,7 @@
 		<table class="table table-bordered table-condensed table-striped">
 		<fieldset>
 			<input type="hidden" name="tag_id" value="<?php echo $f_tag_id ?>"/>
-			<input type="hidden" name="redirect" value="<?php echo $t_redirect_page ?>"/>
+			<input type="hidden" name="redirect" value="<?php echo string_html_specialchars( $t_redirect_page ) ?>"/>
 			<?php echo form_security_field( 'tag_update' ) ?>
 			<tr>
 				<td class="category">

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.