CVE-2026-33517

UNKNOWN 0.0

MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

19th

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.

CWE	CWE-79
Vendor	mantisbt
Product	mantisbt
Published	Mar 23, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for mantisbt mantisbt

Be the first to know when new unknown vulnerabilities affecting mantisbt mantisbt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

mantisbt / mantisbt

= 2.28.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp github.com: https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46 github.com: https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9