Plattform
php
Komponente
mantisbt/mantisbt
Behoben in
2.28.1
2.28.1
CVE-2026-33517 describes a cross-site scripting (XSS) vulnerability in MantisBT, a web-based project management application. This flaw allows an attacker to inject malicious HTML code, potentially leading to the execution of arbitrary JavaScript within a user's browser. The vulnerability impacts versions of MantisBT up to 2.28.0, and a fix is available in version 2.28.1.
Successful exploitation of CVE-2026-33517 allows an attacker to inject arbitrary HTML into the MantisBT application. If the application's Content Security Policy (CSP) settings are not properly configured, this HTML injection can lead to the execution of arbitrary JavaScript code within the context of a user's browser. This could enable attackers to steal session cookies, redirect users to malicious websites, deface the application, or perform other actions on behalf of the victim. The impact is particularly severe if the MantisBT instance is used to manage sensitive project data or if it is accessible to a large number of users.
CVE-2026-33517 was publicly disclosed on 2026-03-25. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature (XSS) makes it likely that a PoC will emerge. The EPSS score is currently pending evaluation. The vulnerability is tracked by CISA and listed in the KEV catalog.
Organizations using MantisBT for project management, particularly those with sensitive data or critical workflows, are at risk. Shared hosting environments where multiple MantisBT instances are installed on the same server are also at increased risk, as a compromise of one instance could potentially lead to the compromise of others.
• php / server:
grep -r "sprintf($s_tag_delete_message, %1\$s)" -- lang/• generic web:
curl -I http://your-mantisbt-instance/tag_delete.php?tag=alert('XSS')• generic web:
Check MantisBT language files for the vulnerable string $stagdelete_message containing %1$s.
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-33517 is to upgrade MantisBT to version 2.28.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, several workarounds can be implemented. One workaround involves reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9, which introduced the vulnerable code. Alternatively, administrators can manually edit the language files to remove the vulnerable sprintf placeholder (%1$s) from the $stagdelete_message string. After applying the upgrade or workaround, verify the fix by attempting to delete a tag and confirming that no malicious HTML is injected into the page.
Actualice MantisBT a la versión 2.28.1 o posterior. Como alternativa, revierta el commit d6890320752ecf37bd74d11fe14fe7dc12335be9 o edite manualmente los archivos de idioma para eliminar el marcador de posición sprintf `%1$s` de la cadena `$s_tag_delete_message`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33517 is a cross-site scripting (XSS) vulnerability in MantisBT versions up to 2.28.0, allowing attackers to inject malicious code.
You are affected if you are using MantisBT version 2.28.0 or earlier. Upgrade to 2.28.1 to mitigate the risk.
Upgrade to MantisBT version 2.28.1. Alternatively, revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9 or manually edit language files.
While no active exploitation is currently confirmed, the vulnerability's nature makes it likely that exploits will emerge.
Refer to the MantisBT project website and security advisories for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.