CVE-2026-33517 Overview
CVE-2026-33517 is a Cross-Site Scripting (XSS) vulnerability affecting Mantis Bug Tracker (MantisBT), an open source issue tracking system. The vulnerability exists in version 2.28.0 where improper escaping of tag names when displaying the deletion confirmation message in tag_delete.php allows attackers to inject HTML content. If Content Security Policy (CSP) settings permit, this can lead to the execution of arbitrary JavaScript code in the context of an authenticated user's session.
Critical Impact
Authenticated attackers can inject malicious HTML and JavaScript through crafted tag names, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of legitimate users.
Affected Products
- MantisBT version 2.28.0
- Installations with permissive CSP configurations
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33517 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33517
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw resides in the tag deletion workflow of MantisBT where user-controlled input (the tag name) is rendered in the confirmation dialog without proper sanitization.
When an administrator or user with tag management privileges attempts to delete a tag, the application displays a confirmation message that includes the tag name. The vulnerable code uses a sprintf placeholder (%1$s) in the localization string $s_tag_delete_message to insert the tag name directly into the HTML output. Since the tag name is not properly escaped before being rendered, an attacker who can create or modify tags can inject malicious payloads.
The attack requires authentication with privileges to create tags, and successful exploitation depends on CSP configurations that allow inline script execution.
Root Cause
The root cause is improper output encoding in the tag deletion confirmation page. The application fails to apply HTML entity encoding to the tag name before inserting it into the page content via the language string placeholder. This allows special characters like <, >, and quotes to be interpreted as HTML markup rather than display characters.
Attack Vector
The attack is network-based and requires an authenticated user with tag creation privileges. The attacker crafts a malicious tag name containing JavaScript payload, then triggers the deletion confirmation page to execute the injected code. The attack flow involves:
- Attacker creates a tag with a malicious name containing HTML/JavaScript (e.g., <script>alert(document.cookie)</script>)
- When any user navigates to delete this tag, the confirmation page renders the unsanitized tag name
- If CSP allows, the injected script executes in the victim's browser session
- The attacker can steal session tokens, perform actions as the victim, or redirect to phishing pages
The vulnerability requires user interaction (viewing the delete confirmation page) and depends on the target environment's CSP configuration to achieve JavaScript execution.
Detection Methods for CVE-2026-33517
Indicators of Compromise
- Unusual tag names containing HTML markup or JavaScript code in the MantisBT database
- Web server access logs showing requests to tag_delete.php with encoded script characters in parameters
- Browser console errors or CSP violation reports indicating blocked inline scripts
- Unexpected user session activity following interaction with tag management pages
Detection Strategies
- Monitor MantisBT database for tag names containing suspicious patterns such as <script>, javascript:, onerror=, or other XSS payload signatures
- Implement Content Security Policy reporting to detect attempted script injection
- Review web application firewall (WAF) logs for XSS-related blocking events on MantisBT endpoints
- Audit user activity logs for unusual tag creation patterns, particularly from accounts without legitimate bug tracking usage
Monitoring Recommendations
- Enable CSP report-uri directive to receive notifications of policy violations
- Configure centralized logging for MantisBT application and web server access logs
- Set up alerts for database modifications to the tag table with HTML-like content patterns
- Monitor for authentication anomalies following visits to tag management pages
How to Mitigate CVE-2026-33517
Immediate Actions Required
- Upgrade MantisBT to version 2.28.1 or later which contains the security fix
- Review existing tags in the database for any suspicious content containing HTML or JavaScript
- Ensure strict Content Security Policy headers are configured to mitigate XSS impact
- Restrict tag creation and management privileges to trusted administrators only
Patch Information
The vulnerability is addressed in MantisBT version 2.28.1. The fix implements proper HTML escaping for tag names before they are rendered in the deletion confirmation message. The relevant commits are available in the MantisBT GitHub repository:
- GitHub Commit Fix - Initial fix commit
- GitHub Commit Update - Additional update
For complete details, refer to the GitHub Security Advisory.
Workarounds
- Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9 if unable to immediately upgrade
- Manually edit language files to remove the sprintf placeholder %1$s from the $s_tag_delete_message string
- Implement strict Content Security Policy headers that disallow inline script execution and unsafe-eval
- Use a Web Application Firewall (WAF) with XSS protection rules enabled for the MantisBT application
# Example CSP header configuration for Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
