MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping $this->tag_name in a string_html_specialchars() call in IssueTagTimelineEvent::html().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MantisBT 2.28.0 fails to escape tag names from history in the Timeline view, enabling stored XSS via renamed or deleted tags.
Vulnerability
Overview
CVE-2026-33548 is a stored cross-site scripting (XSS) vulnerability in Mantis Bug Tracker (MantisBT) version 2.28.0. The root cause is improper escaping of tag names retrieved from the History table when displayed in the Timeline on my_view_page.php. When a tag is renamed or deleted, the old tag name is fetched from history and rendered without sanitization, allowing an attacker to inject arbitrary HTML and, if Content Security Policy (CSP) settings permit, execute JavaScript [1][2][4].
Exploitation
An attacker can exploit this by first creating an issue with a tag containing malicious HTML or JavaScript (e.g., timeline). Then, by renaming or deleting that tag, the original malicious name is stored in the history. When any user views the Timeline on the homepage, the injected payload is rendered, leading to script execution if CSP is not restrictive enough [2]. The vulnerability is triggered without requiring authentication beyond a standard user account that can create and modify tags.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, defacement, or further attacks against other users. The vulnerability is classified as stored XSS with high impact on confidentiality, integrity, and availability [1][4].
Mitigation
The issue is fixed in MantisBT version 2.28.1. For users who cannot upgrade immediately, workarounds include manually editing offending History entries via SQL or modifying the source code to wrap $this->tag_name in a string_html_specialchars() call in IssueTagTimelineEvent::html() [1][4]. The advisory credits Vishal Shukla for responsible disclosure [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | >= 2.28.0, < 2.28.2 | 2.28.2 |
Affected products
2Patches
1f32787c14d45Escape unknown tag name in Timeline
1 file changed · +1 −1
core/classes/IssueTagTimelineEvent.class.php+1 −1 modified@@ -61,7 +61,7 @@ public function html() { $t_string, prepare_user_name( $this->user_id ), string_get_bug_view_link( $this->issue_id ), - $t_tag_row ? tag_get_link( $t_tag_row ) : $this->tag_name + $t_tag_row ? tag_get_link( $t_tag_row ) : string_html_specialchars( $this->tag_name ) ) . '</div>'; $t_html .= $this->html_end();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-73vx-49mv-v8w5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33548ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5ghsax_refsource_CONFIRMWEB
- mantisbt.org/bugs/view.phpghsaWEB
News mentions
0No linked articles in our index yet.