CVE-2026-33548
- Source
- https://cve.org/CVERecord?id=CVE-2026-33548
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33548.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33548
- Aliases
- Published
- 2026-03-23T19:15:18.891Z
- Modified
- 2026-04-10T05:42:49.433259Z
- Severity
-
- 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline
- Details
-
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (myviewpage.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping
$this->tag_namein a stringhtmlspecialchars() call in IssueTagTimelineEvent::html(). - Database specific
{ "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33548.json", "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/mantisbt/mantisbt
Affected versions
release-1.*
release-1.2.0a1
release-1.2.0a2
release-1.2.0a3
release-1.2.0rc1
release-1.3.0-beta.1
release-1.3.0-beta.2
release-1.3.0-beta.3
release-1.3.0-rc.1
release-1.3.0-rc.2
release-2.*
release-2.0.0
release-2.0.0-beta.1
release-2.0.0-beta.2
release-2.0.0-beta.3
release-2.0.0-rc.1
release-2.0.0-rc.2
release-2.1.0
release-2.10.0
release-2.11.0
release-2.12.0
release-2.13.0
release-2.14.0
release-2.15.0
release-2.16.0
release-2.17.0
release-2.18.0
release-2.19.0
release-2.2.0
release-2.20.0
release-2.21.0
release-2.22.0
release-2.23.0
release-2.24.0
release-2.25.0
release-2.26.0
release-2.27.0
release-2.28.0
release-2.3.0
release-2.4.0
release-2.5.0
release-2.6.0
release-2.7.0
release-2.8.0
release-2.9.0