CVE-2026-33517
Stored XSS in MantisBT Tag Deletion Confirmation Message
Publication date: 2026-03-23
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantisbt | 2.28.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33517 is a security vulnerability in Mantis Bug Tracker (MantisBT) version 2.28.0 related to the deletion of tags. When a user attempts to delete a tag, the system displays a confirmation message that includes the tag's name. However, the tag name was not properly escaped before being displayed, allowing an attacker to inject malicious HTML or JavaScript code into this confirmation message."}, {'type': 'paragraph', 'content': "If the Content Security Policy (CSP) settings permit, this vulnerability can lead to execution of arbitrary JavaScript in the user's browser, which is a type of Cross-Site Scripting (XSS) attack. This occurs because the tag name is inserted directly into the confirmation message without neutralizing special HTML characters."}, {'type': 'paragraph', 'content': 'The issue was fixed in version 2.28.1 by properly escaping the tag name before displaying it, preventing injection of malicious code.'}] [3]
How can this vulnerability impact me? :
This vulnerability can have a high impact on the confidentiality, integrity, and availability of the MantisBT system and its data.
- An attacker can inject malicious HTML or JavaScript code into the tag deletion confirmation message.
- If executed, this code can perform actions such as stealing user session data, manipulating the user interface, or performing unauthorized actions on behalf of the user.
- Because the attack requires only low privileges and low complexity, it can be exploited relatively easily by an attacker with limited access.
- User interaction is required to trigger the exploit, meaning a user must attempt to delete a tag and see the confirmation message.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability occurs in Mantis Bug Tracker version 2.28.0 when deleting a tag via tag_delete.php, due to improper escaping of the tag name in the confirmation message. Detection involves checking if your MantisBT installation is version 2.28.0 and if the tag deletion confirmation message includes unescaped tag names.'}, {'type': 'paragraph', 'content': 'You can verify the version of MantisBT running on your system by checking the version file or the application interface.'}, {'type': 'paragraph', 'content': 'To detect if the vulnerable code is present, you can inspect the tag_delete.php file for the presence or absence of proper escaping functions around the tag name in the confirmation message.'}, {'type': 'list_item', 'content': 'Check MantisBT version: grep -i version /path/to/mantisbt/README or check the version in the application UI.'}, {'type': 'list_item', 'content': "Inspect tag_delete.php for escaping: grep -A 5 'tag_delete_message' /path/to/mantisbt/tag_delete.php"}, {'type': 'list_item', 'content': 'Look for usage of string_html_specialchars() around tag_get_name() in tag_delete.php. If missing, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, you can test the vulnerability by attempting to create a tag with HTML or JavaScript content in its name and then deleting it to see if the confirmation message executes or displays the injected code.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade MantisBT to version 2.28.1 or later, where the vulnerability is fixed by properly escaping the tag name in the deletion confirmation message.
If upgrading immediately is not possible, you can apply workarounds:
- Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9 which introduced the vulnerable change.
- Manually edit the language files to remove the sprintf placeholder `%1$s` from the `$s_tag_delete_message` string, preventing the tag name from being injected into the confirmation message.
These workarounds prevent the injection of unescaped tag names and reduce the risk of XSS attacks until a proper patch can be applied.