CVE-2026-33517 HIGH

CVE-2026-33517: MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation

Vendor Mantisbt
Product mantisbt
Weakness CWE-79 · XSS
Published March 23, 2026
Last update March 24, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.

Key dates

02Disclosure timeline

March 23, 2026 CVE published
March 24, 2026 Record updated