Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html().
Published: 2026-03-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored HTML injection leading to potentially arbitrary JavaScript execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper escaping of tag names that are retrieved from the history log and displayed in the timeline view of MantisBT. An attacker who can create or rename a tag with specially crafted characters can cause the tag name to be rendered as live HTML when the timeline is viewed. If the site’s Content‑Security‑Policy allows inline scripts or execution of data‑originated code, this stored injection can lead to the execution of arbitrary JavaScript in the context of the logged‑in user, potentially allowing credential theft, session hijacking, or full compromise of the web application.

Affected Systems

Mantis Bug Tracker version 2.28.0 is vulnerable. The fix was applied in 2.28.1. Any instance running the unpatched version with the timeline feature enabled is at risk. The issue specifically affects the my_view_page.php script that renders issue timelines.

Risk and Exploitability

The CVSS v3 base score of 8.6 classifies the issue as high severity, with an attack vector that is user‑controllable via tag manipulation, requiring user interaction and legitimate access to the application’s interface. The EPSS score is below 1 %, suggesting few observed attacks, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the combination of stored XSS and the possibility of bypassing CSP makes it a worthwhile target for attackers with moderate resources.

Generated by OpenCVE AI on March 25, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MantisBT 2.28.1 or newer.
  • If unable to upgrade immediately, edit the offending history entries directly in the database to remove or sanitize the malicious tag names.
  • Apply a code‑level fix by wrapping the $this->tag_name variable in a call to string_html_specialchars() in IssueTagTimelineEvent::html().
  • Configure a strict Content‑Security‑Policy to block inline scripts and restrict script origins to trusted sources.

Generated by OpenCVE AI on March 25, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-73vx-49mv-v8w5 MantisBT has Stored HTML Injection/XSS when displaying Tags in Timeline
History

Wed, 25 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mantisbt:mantisbt:2.28.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mantisbt
Mantisbt mantisbt
Vendors & Products Mantisbt
Mantisbt mantisbt

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html().
Title MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mantisbt Mantisbt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T16:06:54.776Z

Reserved: 2026-03-20T18:05:11.832Z

Link: CVE-2026-33548

cve-icon Vulnrichment

Updated: 2026-03-24T16:06:44.920Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T20:16:27.687

Modified: 2026-03-25T13:55:15.557

Link: CVE-2026-33548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:52Z

Weaknesses