Tag
A content security policy bypass vulnerability, CVE-2026-40597, exists in MantisBT versions 2.28.1 and earlier, allowing an attacker to bypass the _script-src_ directive by uploading a crafted attachment that, when downloaded, executes as JavaScript due to MIME type sniffing, given a pre-existing XSS / HTML injection vulnerability.