Platform
php
Component
mantisbt/mantisbt
Opgelost in
2.28.1
2.28.1
CVE-2026-33517 describes a cross-site scripting (XSS) vulnerability in MantisBT, a web-based project management application. This flaw allows an attacker to inject malicious HTML code, potentially leading to the execution of arbitrary JavaScript within a user's browser. The vulnerability impacts versions of MantisBT up to 2.28.0, and a fix is available in version 2.28.1.
Successful exploitation of CVE-2026-33517 allows an attacker to inject arbitrary HTML and JavaScript into the MantisBT application. This can be leveraged to steal user credentials (session cookies), redirect users to malicious websites, or deface the application. The impact is particularly severe if the MantisBT instance has Content Security Policy (CSP) settings that permit inline JavaScript execution. An attacker could potentially gain control of user accounts or compromise the entire MantisBT installation, depending on the privileges of the affected user and the application's configuration.
CVE-2026-33517 was disclosed on 2026-03-25. Public proof-of-concept exploits are not currently known, but the vulnerability's nature (XSS) makes it likely that such exploits will emerge. The vulnerability is not currently listed on CISA KEV, and an EPSS score is pending evaluation. Responsible disclosure was provided by Vishal Shukla.
Organizations using MantisBT for project management, particularly those with sensitive data or critical workflows, are at risk. Shared hosting environments where multiple MantisBT instances are installed on the same server are also at increased risk, as a compromise of one instance could potentially lead to the compromise of others.
• php / server:
grep -r "sprintf($s_tag_delete_message, %1\$s)" -- lang/• generic web:
curl -I http://your-mantisbt-instance/tag_delete.php?tag=alert('XSS')• generic web:
Check MantisBT language files for the vulnerable string $stagdelete_message containing %1$s.
disclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-33517 is to upgrade MantisBT to version 2.28.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, a temporary workaround involves reverting commit d6890320752ecf37bd74d11fe14fe7dc12335be9. Alternatively, you can manually edit the language files to remove the vulnerable sprintf placeholder %1$s from the $stagdelete_message string. After upgrading or applying the workaround, verify the fix by attempting to delete a tag with a specially crafted name containing HTML or JavaScript payloads; the application should properly escape the tag name and prevent execution.
Actualice MantisBT a la versión 2.28.1 o posterior. Como alternativa, revierta el commit d6890320752ecf37bd74d11fe14fe7dc12335be9 o edite manualmente los archivos de idioma para eliminar el marcador de posición sprintf `%1$s` de la cadena `$s_tag_delete_message`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-33517 is a cross-site scripting (XSS) vulnerability in MantisBT versions up to 2.28.0, allowing attackers to inject malicious code.
You are affected if you are using MantisBT version 2.28.0 or earlier. Upgrade to 2.28.1 to mitigate the risk.
Upgrade to MantisBT version 2.28.1. Alternatively, revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9 or manually edit language files.
While no active exploitation is currently confirmed, the vulnerability's nature makes it likely that exploits will emerge.
Refer to the MantisBT project website and security advisories for the latest information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.