CVE-2026-33517
EPSS 0.05%MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Published: 3/25/2026Modified: 3/25/2026
Also known as:GHSA-fh48-f69w-7vmp
Description
Improper escaping of Tag name when deleting it in tag_delete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. ### Impact Cross-site scripting (XSS). ### Patches 80990f43153167c73f11eb4b2bc7108d0c3d6b46 ### Workarounds * Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9 * Manually edit language files to remove the sprintf placeholder `%1$s` from *$s_tag_delete_message* string, for example with `sed -r -i '/tag_delete_message/s/.%1\$s.//' -- lang/` ### Credits MantisBT hanks Vishal Shukla for discovering and responsibly reporting the issue.
Affected packages (1)
- Packagist/mantisbt/mantisbt>= 2.28.0, < 2.28.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33517
- PATCHhttps://github.com/mantisbt/mantisbt
- WEBhttps://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46
- WEBhttps://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9
- WEBhttps://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp
- WEBhttps://mantisbt.org/bugs/view.php?id=36971