CVE
CVE-2026-33517
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Improper escaping of Tag name when deleting it in tag_delete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript.
Impact
Cross-site scripting (XSS).
Patches
80990f43153167c73f11eb4b2bc7108d0c3d6b46
Workarounds
- Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9
- Manually edit language files to remove the sprintf placeholder
%1$sfrom $stagdelete_message string, for example withsed -r -i '/tagdeletemessage/s/.%1\$s.//' -- lang/
Credits
MantisBT hanks Vishal Shukla for discovering and responsibly reporting the issue.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.6
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp, https://nvd.nist.gov/vuln/detail/CVE-2026-33517, https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46, https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9, https://github.com/mantisbt/mantisbt, https://mantisbt.org/bugs/view.php?id=36971
Basic Information
Ecosystem
