MantisBT: master-2.28 fa2c797d

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-04-11 16:16 master-2.28 d78b75a5
Affected Issues  0037011: CVE-2026-40596: XSS leading to account takeover via updating a user's font family preference
Changeset

Escape font_family in generated style

layout_user_font_preference() displayed the user's font_family without
proper escaping, leaving the door open for XSS / HTML injection.

Fixes 0037011, GHSA-j3v9-553h-x28j
mod - core/layout_api.php Diff File