High severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
CVE-2026-33517
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder %1$s from $s_tag_delete_message string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.28.0, < 2.28.1 | 2.28.1 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-fh48-f69w-7vmpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33517ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmpghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsaWEB
News mentions
0No linked articles in our index yet.