CVE-2026-33548: Stored Cross-Site Scripting in MantisBT Timeline Feature
Vulnerability ID: CVE-2026-33548
CVSS Score: 8.6
Published: 2026-03-25
Mantis Bug Tracker (MantisBT) version 2.28.0 contains a stored Cross-Site Scripting (XSS) vulnerability in its Timeline feature. The flaw occurs when the application renders historical issue tags that have been subsequently renamed or deleted, falling back to an unescaped raw string from the database.
TL;DR
A stored XSS vulnerability in MantisBT 2.28.0 allows authenticated attackers to execute arbitrary JavaScript in the context of other users viewing the issue timeline by leveraging deleted or renamed tags.
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS v4.0: 8.6 (High)
- EPSS Score: 0.00069
- Impact: Stored Cross-Site Scripting
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- MantisBT Core
- MantisBT Timeline Module
-
MantisBT: 2.28.0 (Fixed in:
2.28.1)
Code Analysis
Commit: f32787c
Fix XSS in IssueTagTimelineEvent
Mitigation Strategies
- Upgrade to MantisBT version 2.28.1 or later.
- Apply manual code patch to IssueTagTimelineEvent.class.php.
- Implement a strong Content Security Policy (CSP).
- Sanitize the bug_history table to remove existing injected payloads.
Remediation Steps:
- Download the MantisBT 2.28.1 release package.
- Backup the existing MantisBT database and application files.
- Deploy the new version following the official upgrade documentation.
- Verify the integrity of the bug_history table using SQL queries to identify potential historical payloads.
References
- GitHub Security Advisory GHSA-73vx-49mv-v8w5
- Fix Commit f32787c14d4518476fe7f05f992dbfe6eaccd815
- MantisBT Bug Tracker Issue 36973
- CVE Record for CVE-2026-33548
Read the full report for CVE-2026-33548 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)