CVE-2026-33517
HIGH EPSS 15.4%
Published Mar 23, 20263mo ago · Modified Jun 17, 20262w ago
8.6 CVSS 4.0
Published Mar 23, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
15.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| mantisbt | mantisbt | 2.28.0 | any |
References 3
- github.com https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46
- github.com https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9
- github.com https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp
Remediation
- github.com https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46
- github.com https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9
- github.com https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp