CVE-2026-33548 in Mantis Bug Tracker
Summary
by MITRE • 03/23/2026
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html().
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33548 affects Mantis Bug Tracker version 2.28.0 and represents a critical cross-site scripting flaw that arises from inadequate input sanitization within the timeline history display functionality. This vulnerability specifically manifests when the system processes tag names retrieved from historical records, particularly those that have undergone renaming or deletion operations. The root cause stems from the application's failure to properly escape HTML characters in tag names before rendering them in the user interface, creating a pathway for malicious code injection that can be exploited by attackers who have access to modify or manipulate the bug tracking system's history data.
The technical exploitation of this vulnerability occurs through the Timeline display mechanism in the my_view_page.php component where historical tag information is rendered without proper HTML escaping. When an attacker manipulates tag names in the system's history to include malicious HTML or JavaScript code, the unescaped content gets executed within the context of other users' browsers who view the timeline. This vulnerability is particularly dangerous because it leverages the existing history functionality rather than requiring new attack vectors, making it easier to exploit in environments where users regularly interact with the timeline view. The flaw aligns with CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities, and represents a classic case of insufficient output escaping in dynamic web applications.
The operational impact of this vulnerability extends beyond simple data corruption or information disclosure, as it can potentially lead to complete session hijacking, unauthorized access to sensitive project data, and privilege escalation within the bug tracking environment. Attackers could leverage this vulnerability to inject malicious scripts that steal cookies, redirect users to phishing sites, or even execute commands on behalf of authenticated users. The vulnerability is particularly concerning in enterprise environments where MantisBT serves as a central issue tracking system for development teams, as it could provide attackers with a foothold to access sensitive project information, development credentials, or other valuable assets. The exploitation requires minimal privileges to manipulate history entries, making it an attractive target for both internal and external threat actors.
Organizations affected by this vulnerability should immediately implement the recommended patches available in version 2.28.1, which properly address the HTML escaping issue in the IssueTagTimelineEvent::html() method. The workaround solutions provided include manual database cleanup through SQL commands to remove malicious content from history entries, as well as the implementation of proper string_html_specialchars() calls to ensure all tag names are properly escaped before display. Additionally, administrators should review their Content Security Policy configurations to limit the potential impact of any successful exploitation attempts, though the vulnerability's nature suggests that CSP alone cannot fully prevent execution of malicious JavaScript in the affected scenarios. The mitigation strategy should also include monitoring of history modification activities and implementing proper access controls to prevent unauthorized users from manipulating the system's historical records, aligning with the principle of least privilege and defense in depth approaches recommended by cybersecurity frameworks.