← back
CVE-2026-33517

MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation

CVSS 8.6 HIGHEPSS 0.2%CWE-79
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.6EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
mantisbt · mantisbt

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp