CVE-2026-33517: Stored Cross-Site Scripting in MantisBT Tag Deletion
Vulnerability ID: CVE-2026-33517
CVSS Score: 8.6
Published: 2026-03-25
Mantis Bug Tracker (MantisBT) version 2.28.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the tag deletion confirmation component. An attacker with permissions to create or rename tags can inject arbitrary HTML and JavaScript into a tag name. When an administrator subsequently attempts to delete this tag, the payload executes in their browser context, allowing the attacker to perform unauthorized actions or hijack the administrative session.
TL;DR
MantisBT 2.28.0 fails to escape tag names during the deletion confirmation process, enabling stored XSS. Attackers with tag creation rights can execute malicious JavaScript in an administrator's session, leading to potential site compromise. Upgrading to 2.28.1 resolves the issue.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Stored Cross-Site Scripting
- CWE ID: CWE-79
- CVSS v4.0 Base: 8.6
- Attack Vector: Network
- Exploit Status: Proof of Concept
- CISA KEV: Not Listed
Affected Systems
- Mantis Bug Tracker (MantisBT) 2.28.0
-
Mantis Bug Tracker (MantisBT): 2.28.0 (Fixed in:
2.28.1)
Code Analysis
Commit: d689032
Introduction of the vulnerability by adding the tag name to the deletion confirmation message.
Commit: 80990f4
Fix for the vulnerability by wrapping the tag name in string_html_specialchars().
--- a/tag_delete.php
+++ b/tag_delete.php
@@ -49,7 +49,9 @@
$f_tag_id = gpc_get_int( 'tag_id' );
tag_ensure_exists( $f_tag_id );
$t_tag_row = tag_get( $f_tag_id );
-$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ), tag_get_name( $f_tag_id ) );
+$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ),
+ string_html_specialchars( tag_get_name( $f_tag_id ) )
+);
helper_ensure_confirmed( $t_confirm_msg, lang_get( 'tag_delete_button' ) );
Mitigation Strategies
- Upgrade MantisBT to the patched version 2.28.1.
- Apply the one-line patch manually to tag_delete.php.
- Modify the application language file to remove the tag name from the confirmation prompt.
- Implement a Content Security Policy (CSP) disallowing unsafe-inline scripts.
Remediation Steps:
- Back up the current MantisBT database and application files.
- Download MantisBT version 2.28.1 from the official repository.
- Replace the existing application files with the updated files.
- Verify the integrity of the application by creating and deleting a test tag.
- Audit existing tags in the database for malicious JavaScript payloads.
References
- MantisBT Security Advisory (GHSA-fh48-f69w-7vmp)
- Fix Commit 80990f43
- Introduction Commit d6890320
- NVD Record for CVE-2026-33517
- MantisBT Issue Tracker #36971
Read the full report for CVE-2026-33517 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)