0037003: CVE-2026-39960: Stored XSS in Custom Field Textarea Values - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0037003	mantisbt	security	public	2026-04-02 13:26	2026-05-09 19:56

Reporter	morimori-dev	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	2.28.2	Fixed in Version	2.28.2

Summary	0037003: CVE-2026-39960: Stored XSS in Custom Field Textarea Values
Description	The fix for CVE-2024-34081 addressed XSS in Custom Field names, but Custom Field textarea values remain unescaped in cfdef_input_textarea(). In core/cfdefs/cfdef_standard.php line 498, the textarea value is output without HTML escaping: `echo ' cols="70" rows="8">', $p_custom_field_value, '</textarea>';` Compare with the text field function (line 480) which correctly uses string_attribute(): `echo ' value="' . string_attribute( $p_custom_field_value ) .'" />';` An authenticated user with bug report permission can inject arbitrary JavaScript via a textarea-type custom field value. When any user (including an administrator) opens the bug edit form, the XSS executes. CVSS 5.4 Medium (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Steps To Reproduce	As admin, create a Custom Field of type "Textarea" and assign it to a project As any authenticated user, create or edit a bug In the textarea custom field, enter the following payload: `</textarea><img src=x onerror="alert(document.domain)"><textarea>` Save the bug When any user (including admin) opens the bug edit form (bug_update_page.php), the JavaScript executes The payload breaks out of the `<textarea>` tag and injects an `<img>` tag with an onerror handler.
Additional Information	Proposed Fix: In core/cfdefs/cfdef_standard.php, line 498, replace: `echo ' cols="70" rows="8">', $p_custom_field_value, '</textarea>';` with: `echo ' cols="70" rows="8">', string_html_specialchars( $p_custom_field_value ), '</textarea>';` This applies the same escaping pattern used elsewhere in the codebase (e.g., string_attribute() for text inputs). Impact: Attacker: Authenticated user with bug report permission (low privilege) Victim: Any user viewing the bug edit form, including administrators Precondition: A textarea-type custom field must be configured for the project Impact: Session theft leading to admin account takeover, full project data access Reporter: Nozomu Sasaki (Paul) GitHub: https://github.com/morimori-dev
Tags	No tags attached.

dregad 2026-04-06 08:38 developer ~0070943	Thanks for the detailed report report @morimori-dev. I will have a closer look later on.

dregad 2026-04-08 04:28 developer ~0070950	Vulnerability confirmed, and verified that the proposed patch does resolve the issue. I opened Security Advisory https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx and requested a CVE.

dregad 2026-04-09 04:01 developer ~0070953	CVE-2026-39960 assigned