CVE
CVE-2026-33548
MantisBT has Stored HTML Injection/XSS when displaying Tags in Timeline
Improper escaping of tag names retrieved from History in Timeline (myviewpage.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted.
Impact
Cross-site scripting (XSS).
Patches
f32787c14d4518476fe7f05f992dbfe6eaccd815
Workarounds
- Edit offending History entries (using SQL)
- Wrap
$this->tag_namein a stringhtmlspecialchars() call in IssueTagTimelineEvent::html()
Credits
MantisBT thanks Vishal Shukla for discovering and responsibly reporting the issue.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.6
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5, https://nvd.nist.gov/vuln/detail/CVE-2026-33548, https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815, https://github.com/mantisbt/mantisbt, https://mantisbt.org/bugs/view.php?id=36973
Basic Information
Ecosystem
