MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder %1$s from $s_tag_delete_message string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT 2.28.0 fails to escape tag names in the delete confirmation message, enabling stored HTML injection and potential XSS.
Analysis of
CVE-2026-33517
Vulnerability
Description CVE-2026-33517 is a stored HTML injection vulnerability in Mantis Bug Tracker (MantisBT) version 2.28.0. The issue occurs in tag_delete.php, where the tag name is directly passed into sprintf() to construct a confirmation message without output escaping. This message is then rendered by helper_ensure_confirmed() also without HTML escaping [1][2]. The root cause is that the tag_name_is_valid() function only blocks specific characters (+, -, and the configured tag separator) but does not sanitize HTML or JavaScript content [2].
Attack
Vector and Exploitation To exploit this vulnerability, an attacker must first be able to create tags, which can be done by a low-privilege user (e.g., REPORTER). The attacker creates a tag containing an HTML payload (e.g., ``) and attaches it to an issue. Subsequently, a privileged user (DEVELOPER or above) who attempts to delete that tag will see the malicious payload rendered as HTML. If the application's Content Security Policy (CSP) is absent or permissive, JavaScript payloads could execute, leading to cross-site scripting (XSS) [2]. The issue is reproducible in multiple locales, including English, French, Polish, Turkish, and Japanese [2].
Impact
Successful exploitation results in stored HTML injection; under favorable CSP conditions, it can lead to XSS. This could allow an attacker to execute arbitrary JavaScript in the context of a privileged user's session, potentially leading to session hijacking, data theft, or further compromise of the MantisBT instance [2].
Mitigation
The fix is implemented in MantisBT version 2.28.1, which properly escapes tag names in the confirmation message [1][2]. Workarounds for those unable to upgrade include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and manually editing language files to remove the %1$s placeholder from $s_tag_delete_message [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.28.0, < 2.28.1 | 2.28.1 |
Affected products
2Patches
280990f431531Properly escape tag name prior to display
1 file changed · +3 −1
tag_delete.php+3 −1 modified@@ -49,7 +49,9 @@ $f_tag_id = gpc_get_int( 'tag_id' ); tag_ensure_exists( $f_tag_id ); $t_tag_row = tag_get( $f_tag_id ); -$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ), tag_get_name( $f_tag_id ) ); +$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ), + string_html_specialchars( tag_get_name( $f_tag_id ) ) +); helper_ensure_confirmed( $t_confirm_msg, lang_get( 'tag_delete_button' ) );
d6890320752eAdd tag name to delete confirmation message
2 files changed · +3 −2
lang/strings_english.txt+1 −1 modified@@ -1492,7 +1492,7 @@ $s_tag_update = 'Update Tag: %1$s'; $s_tag_update_return = 'Back to Tag'; $s_tag_update_button = 'Update Tag'; $s_tag_delete_button = 'Delete Tag'; -$s_tag_delete_message = 'Are you sure you wish to delete this tag?'; +$s_tag_delete_message = 'Are you sure you wish to delete tag "%1$s"?'; $s_tag_existing = 'Existing tags'; $s_tag_none_attached = 'No tags attached.'; $s_tag_attach = 'Attach';
tag_delete.php+2 −1 modified@@ -49,8 +49,9 @@ $f_tag_id = gpc_get_int( 'tag_id' ); tag_ensure_exists( $f_tag_id ); $t_tag_row = tag_get( $f_tag_id ); +$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ), tag_get_name( $f_tag_id ) ); -helper_ensure_confirmed( lang_get( 'tag_delete_message' ), lang_get( 'tag_delete_button' ) ); +helper_ensure_confirmed( $t_confirm_msg, lang_get( 'tag_delete_button' ) ); tag_delete( $f_tag_id );
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fh48-f69w-7vmpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33517ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmpghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsaWEB
News mentions
0No linked articles in our index yet.