Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
Published: 2026-03-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS capable of executing arbitrary JavaScript
Action: Immediate Patch
AI Analysis

Impact

In MantisBT 2.28.0, the tag deletion interface displays the tag name in a confirmation message without proper escaping, allowing an attacker to embed malicious HTML or JavaScript into the page. If the site’s Content‑Security‑Policy permits script execution, the injected code runs in the browser context of any user who views the confirmation, enabling theft of session data, credential compromise, or further web‑based attacks.

Affected Systems

All installations of Mantis Bug Tracker version 2.28.0 are vulnerable; the issue is fixed in 2.28.1. The vulnerability impacts any system running that exact version, regardless of other configuration, and can be observed across the common platform enumeration cpe:2.3:a:mantisbt:mantisbt:2.28.0.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. This entry is not listed in the KEV catalog. Attacks require an authenticated user with permission to delete tags; the exploitation occurs during normal use of the web interface, making the vulnerability accessible to anyone who can modify or create tags with malicious content.

Generated by OpenCVE AI on March 25, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MantisBT to version 2.28.1 or later
  • If an upgrade is not immediately possible, revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9 to restore the previous safe code
  • Alternatively, edit the language file to remove the sprintf placeholder %1$s from the $s_tag_delete_message string to prevent unsanitized output

Generated by OpenCVE AI on March 25, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fh48-f69w-7vmp MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
History

Wed, 25 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mantisbt:mantisbt:2.28.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, when deleting a Tag (tag_delete.php), improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Version 2.28.1 fixes the issue. Workarounds include reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9 and/or manually editing language files to remove the sprintf placeholder `%1$s` from `$s_tag_delete_message` string.
Title MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T14:17:15.295Z

Reserved: 2026-03-20T16:59:08.892Z

Link: CVE-2026-33517

cve-icon Vulnrichment

Updated: 2026-03-24T14:17:08.383Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:27.533

Modified: 2026-03-25T13:58:07.253

Link: CVE-2026-33517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:53Z

Weaknesses