{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33548", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.832Z", "datePublished": "2026-03-23T19:15:18.891Z", "dateUpdated": "2026-03-24T16:06:54.776Z"}, "containers": {"cna": {"title": "MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5"}, {"name": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815", "tags": ["x_refsource_MISC"], "url": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815"}], "affected": [{"vendor": "mantisbt", "product": "mantisbt", "versions": [{"version": "= 2.28.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T19:15:18.891Z"}, "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html()."}], "source": {"advisory": "GHSA-73vx-49mv-v8w5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T16:05:45.559424Z", "id": "CVE-2026-33548", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T16:06:54.776Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33548", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T16:05:45.559424Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T16:06:44.920Z"}}], "cna": {"title": "MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline", "source": {"advisory": "GHSA-73vx-49mv-v8w5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "mantisbt", "product": "mantisbt", "versions": [{"status": "affected", "version": "= 2.28.0"}]}], "references": [{"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5", "name": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815", "name": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html()."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T19:15:18.891Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33548", "state": "PUBLISHED", "dateUpdated": "2026-03-24T16:06:54.776Z", "dateReserved": "2026-03-20T18:05:11.832Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T19:15:18.891Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mantisbt:mantisbt:2.28.0:*:*:*:*:*:*:*", "matchCriteriaId": "7CD11245-68F0-43F7-A710-5347D626FFD8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html()."}, {"lang": "es", "value": "Mantis Bug Tracker (MantisBT) es un rastreador de problemas de c\u00f3digo abierto. En la versi\u00f3n 2.28.0, un escape incorrecto de los nombres de etiquetas recuperados del Historial en la L\u00ednea de Tiempo (my_view_page.php) permite a un atacante inyectar HTML y, si la configuraci\u00f3n de CSP lo permite, lograr la ejecuci\u00f3n de JavaScript arbitrario, al mostrar una etiqueta que ha sido renombrada o eliminada. La versi\u00f3n 2.28.1 contiene un parche. Las soluciones incluyen editar las entradas ofensivas del Historial (usando SQL) y envolver `$this->tag_name` en una llamada a string_html_specialchars() en IssueTagTimelineEvent::html()."}], "id": "CVE-2026-33548", "lastModified": "2026-03-25T13:55:15.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T20:16:27.687", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mantisbt/mantisbt/commit/f32787c14d4518476fe7f05f992dbfe6eaccd815"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-73vx-49mv-v8w5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "2.28.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "mantisbt", "source": "cna", "vendor": "mantisbt"}, "product": "mantisbt", "vendor": "mantisbt"}], "analysis": {"en": {"generated_at": "2026-03-25T15:37:50.477632+00:00", "value": {"mitigation_remediation": ["Upgrade to MantisBT 2.28.1 or newer.", "If unable to upgrade immediately, edit the offending history entries directly in the database to remove or sanitize the malicious tag names.", "Apply a code\u2011level fix by wrapping the $this->tag_name variable in a call to string_html_specialchars() in IssueTagTimelineEvent::html().", "Configure a strict Content\u2011Security\u2011Policy to block inline scripts and restrict script origins to trusted sources."], "summary": {"action": "Immediate Patch", "impact": "Stored HTML injection leading to potentially arbitrary JavaScript execution"}, "threat_synthesis": {"affected_systems": "Mantis Bug Tracker version 2.28.0 is vulnerable. The fix was applied in 2.28.1. Any instance running the unpatched version with the timeline feature enabled is at risk. The issue specifically affects the my_view_page.php script that renders issue timelines.", "description_and_impact": "The vulnerability arises from improper escaping of tag names that are retrieved from the history log and displayed in the timeline view of MantisBT. An attacker who can create or rename a tag with specially crafted characters can cause the tag name to be rendered as live HTML when the timeline is viewed. If the site\u2019s Content\u2011Security\u2011Policy allows inline scripts or execution of data\u2011originated code, this stored injection can lead to the execution of arbitrary JavaScript in the context of the logged\u2011in user, potentially allowing credential theft, session hijacking, or full compromise of the web application.", "risk_and_exploitability": "The CVSS v3 base score of 8.6 classifies the issue as high severity, with an attack vector that is user\u2011controllable via tag manipulation, requiring user interaction and legitimate access to the application\u2019s interface. The EPSS score is below 1\u202f%, suggesting few observed attacks, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, the combination of stored XSS and the possibility of bypassing CSP makes it a worthwhile target for attackers with moderate resources."}}}}, "created": "2026-03-24T10:33:02.111851+00:00", "updated": "2026-03-25T20:36:52.584492+00:00", "vendors": ["mantisbt", "mantisbt$PRODUCT$mantisbt"]}