CVE-2026-33517
MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation
Description
Improper escaping of Tag name when deleting it in tag_delete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. ### Impact Cross-site scripting (XSS). ### Patches 80990f43153167c73f11eb4b2bc7108d0c3d6b46 ### Workarounds * Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9 * Manually edit language files to remove the sprintf placeholder `%1$s` from *$s_tag_delete_message* string, for example with `sed -r -i '/tag_delete_message/s/.%1\$s.//' -- lang/` ### Credits MantisBT hanks Vishal Shukla for discovering and responsibly reporting the issue.
How to fix CVE-2026-33517
To remediate CVE-2026-33517, upgrade the affected package to a fixed version below.
- —upgrade to 2.28.1 or later
Is CVE-2026-33517 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.28.0, < 2.28.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |