HTML Injection Vulnerability in Mantis Bug Tracker by MantisBT
CVE-2026-33548

8.6HIGH

Key Information:

Vendor: Mantisbt
Status: Mantisbt
Vendor: CVE Published:; 23 March 2026

What is CVE-2026-33548?

Mantis Bug Tracker (MantisBT) version 2.28.0 is susceptible to an HTML injection vulnerability due to improper escaping of tag names within the Timeline feature. An attacker could exploit this issue to inject malicious HTML code or arbitrary JavaScript into the application, specifically when displaying tags that have been renamed or deleted. The problem arises from the retrieval of tag names in the my_view_page.php file, which may allow unauthorized script execution if Content Security Policy (CSP) settings are permissive. A patch has been introduced in version 2.28.1 to mitigate this vulnerability. In the meantime, workarounds involve editing the affected History entries using SQL commands or implementing string_html_specialchars() around the tag names in the IssueTagTimelineEvent class.

Affected Version(s)

mantisbt = 2.28.0

References

https://github.com/mantisbt/mantisbt/security/advisories/...

x_refsource_CONFIRM

https://github.com/mantisbt/mantisbt/commit/f32787c14d451...

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33548 Data

JSON

Mantisbt

What is CVE-2026-33548?

Affected Version(s)

References

CVSS V4

Timeline