High severity7.5GHSA Advisory· Published May 11, 2026· Updated May 11, 2026

MantisBT is Vulnerable to Stored XSS in Saved-Filter Owner Column

CVE-2026-40607

Description

Incorrect escaping of a saved filter's owner allows an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON.

Impact

Cross-site scripting (XSS).

Note that By default, only users with *Manager* access level or above can save their filters publicly

### Patches - 44f490bcf20fd491c1b8f3fc9dd041d8c2a30010

### Workarounds - Prevent display of users' real name (set $g_ show_user_realname = OFF; in configuration) - Restrict ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY

Credits

Thanks to siunam (Tang Cheuk Hei) for discovering and responsibly reporting the issue.

Affected products

Mantisbt/MantisbtGHSA
Range: >= 2.1.0, <= 2.28.1

Patches

44f490bcf20f

Fix XSS in manage_filter_page.php

https://github.com/mantisbt/mantisbtDamien RegadApr 12, 2026via ghsa

commit

1 file changed · +3 −1

manage_filter_page.php+3 −1 modified

@@ -107,7 +107,9 @@ function table_print_filter_row( $p_filter_id ) {
 	# Public
 	echo '<td class="center">' . trans_bool( filter_get_field( $p_filter_id, 'is_public' ) ) . '</td>';
 	# Owner
-	echo '<td>' . user_get_name( filter_get_field( $p_filter_id, 'user_id' ) ) . '</td>';
+	echo '<td>'
+		. string_html_specialchars( user_get_name( filter_get_field( $p_filter_id, 'user_id' ) ) )
+		. '</td>';
 	# Actions
 	echo '<td>';
 	echo '<div class="pull-left">';

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000