Executive Summary

CVE-2026-33548 is a vulnerability in Mantis Bug Tracker (MantisBT) version 2.28.0 that allows an attacker to perform Cross-Site Scripting (XSS) and HTML injection attacks. The issue arises because tag names retrieved from the History in the Timeline feature are not properly escaped when displayed, especially if the tag has been renamed or deleted. This improper escaping allows malicious HTML or JavaScript code to be injected and executed in the context of the affected web page.

The root cause is that when the system fails to find a tag name in the database (due to renaming or deletion), it outputs the tag name directly without escaping special HTML characters. The fix involves escaping these tag names using the PHP function string_html_specialchars() to prevent execution of injected code.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your Mantis Bug Tracker instance is running a vulnerable version (2.28.0 or 2.28.1) and checking for malicious HTML or JavaScript injections in the Timeline feature, specifically in tag names retrieved from History entries.'}, {'type': 'paragraph', 'content': 'You can query the database to find suspicious or malformed tag names in the bug_history table that might contain injected HTML or JavaScript code.'}, {'type': 'paragraph', 'content': 'Example SQL command to find potentially malicious tag names in the bug_history table:'}, {'type': 'list_item', 'content': "SELECT * FROM bug_history WHERE field_name = 'tag' AND (old_value LIKE '%<%' OR new_value LIKE '%<%');"}, {'type': 'paragraph', 'content': 'This command searches for entries where tag names contain HTML tags, which could indicate injection attempts.'}, {'type': 'paragraph', 'content': 'Additionally, checking the version of MantisBT installed can be done by running:'}, {'type': 'list_item', 'content': "grep 'version' path/to/mantisbt/configuration or checking the version in the web interface footer."}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Mantis Bug Tracker to version 2.28.2 or later, where the vulnerability is patched by properly escaping tag names in the Timeline feature.

If immediate patching is not possible, workarounds include:

• Manually editing offending History entries in the database using SQL to remove or sanitize malicious tag names.
• Modifying the source code to wrap the tag name output in the IssueTagTimelineEvent::html() method with the PHP function string_html_specialchars() to escape HTML special characters.

These steps help prevent execution of injected HTML or JavaScript until a full patch can be applied.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to Cross-Site Scripting (XSS) attacks, which may allow an attacker to execute arbitrary JavaScript in the context of the affected MantisBT web application.

• Compromise of confidentiality, allowing attackers to steal sensitive information.
• Compromise of integrity, enabling attackers to manipulate or inject malicious content.
• Compromise of availability, potentially disrupting normal operation of the system.

The vulnerability has a high severity score (CVSS 8.6) and can be exploited remotely with low complexity and low privileges required.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0