CVE-2026-33517

HIGH EPSS 15.4%
Published Mar 23, 20263mo ago · Modified Jun 17, 20262w ago
8.6 CVSS 4.0
High
Find Similar
Published Mar 23, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
15.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
mantisbtmantisbt2.28.0any

References 3

  • github.com https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46
    Patch
  • github.com https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9
    Patch
  • github.com https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46
    Patch
  • github.com https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9
    Patch
  • github.com https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp
    MitigationPatchVendor Advisory