CVE-2026-33548 Overview
CVE-2026-33548 is a Cross-Site Scripting (XSS) vulnerability in Mantis Bug Tracker (MantisBT), an open source issue tracking system. The vulnerability exists in version 2.28.0 due to improper escaping of tag names retrieved from History in the Timeline component (my_view_page.php). An attacker can inject HTML and, if Content Security Policy (CSP) settings permit, achieve execution of arbitrary JavaScript when displaying a tag that has been renamed or deleted.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of victims.
Affected Products
- MantisBT version 2.28.0
- Installations with permissive CSP configurations
- Environments where tag management features are accessible to lower-privileged users
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33548 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33548
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The root cause lies in the IssueTagTimelineEvent::html() method, which fails to properly sanitize tag names before rendering them in the Timeline view on my_view_page.php.
When a user views the Timeline, the application retrieves historical tag information from the database. If a tag has been renamed or deleted, the stored tag name in the history is displayed without proper HTML encoding. This creates an injection point where malicious HTML or JavaScript can be stored and later executed when other users view the Timeline.
The network-based attack vector requires user interaction, as a victim must view the affected Timeline page containing the malicious tag history entry. However, since the Timeline is a commonly accessed page in MantisBT, the likelihood of victim exposure is significant.
Root Cause
The vulnerability stems from the $this->tag_name variable being output directly without being processed through the string_html_specialchars() function in the IssueTagTimelineEvent::html() method. This missing output encoding allows special HTML characters like <, >, and " to be interpreted as markup rather than displayed as literal text.
Attack Vector
The attack requires an authenticated attacker with permissions to create or modify tags. The attacker crafts a tag name containing malicious JavaScript payload, then renames or deletes the tag to trigger the vulnerable code path. When other authenticated users view the Timeline displaying the tag history, the malicious script executes in their browser context.
The exploitation flow involves creating a tag with an XSS payload embedded in the name, associating it with an issue to generate a history entry, and then modifying or removing the tag to expose the vulnerable rendering path.
Detection Methods for CVE-2026-33548
Indicators of Compromise
- Unusual tag names in the MantisBT database containing HTML tags or JavaScript (e.g., <script>, <img onerror=, javascript:)
- Anomalous entries in the mantis_bug_history_table related to tag operations
- Browser console errors or unexpected script execution when viewing Timeline pages
- User reports of suspicious behavior or unexpected redirects on my_view_page.php
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS payloads in HTTP requests targeting MantisBT tag management endpoints
- Monitor database tables for tag entries containing suspicious HTML/JavaScript patterns
- Review web server access logs for unusual patterns of access to my_view_page.php combined with tag modification activities
- Deploy client-side Content Security Policy violation reporting to detect attempted script injections
Monitoring Recommendations
- Enable verbose logging for tag creation, modification, and deletion operations in MantisBT
- Configure browser-based CSP reporting to capture policy violations that may indicate exploitation attempts
- Implement database integrity monitoring for tag-related tables to detect injected payloads
- Monitor user session activity for anomalous behavior following Timeline page access
How to Mitigate CVE-2026-33548
Immediate Actions Required
- Upgrade MantisBT to version 2.28.1 or later immediately
- Review existing tags in the database for potentially malicious content
- Implement strict Content Security Policy headers to mitigate JavaScript execution if exploitation has occurred
- Audit recent tag creation and modification activities for suspicious entries
Patch Information
MantisBT has released version 2.28.1 which contains the security fix for this vulnerability. The patch, available at GitHub Commit f32787c, wraps the $this->tag_name variable in a string_html_specialchars() call within the IssueTagTimelineEvent::html() method to properly encode HTML special characters before output.
For detailed information about this vulnerability, refer to the GitHub Security Advisory GHSA-73vx-49mv-v8w5.
Workarounds
- Manually edit offending History entries in the database using SQL to remove or sanitize malicious tag names
- Apply a manual code patch by wrapping $this->tag_name in a string_html_specialchars() call in the IssueTagTimelineEvent::html() function
- Implement strict Content Security Policy headers that prevent inline script execution to reduce the impact of the vulnerability
- Restrict tag management permissions to trusted administrator accounts until the patch can be applied
# Configuration example for CSP headers in Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
# For nginx, add to server block
# add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
