0036971: CVE-2026-33517: Stored HTML Injection / XSS in Tag Delete Confirmation via Unescaped Tag Name - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0036971	mantisbt	security	public	2026-03-15 14:27	2026-03-23 13:23

Reporter	ninjasec	Assigned To	dregad
Priority	high	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.28.0
Target Version	2.28.1	Fixed in Version	2.28.1

Summary	0036971: CVE-2026-33517: Stored HTML Injection / XSS in Tag Delete Confirmation via Unescaped Tag Name
Description	MantisBT renders the tag delete confirmation message with attacker-controlled tag names inserted into the HTML response without output escaping. In the French locale, the tag_delete_message string contains %1$s, and tag_delete.php:52 passes the tag name directly into sprintf(). The resulting message is then printed by helper_ensure_confirmed():427 without HTML escaping. Tag names are not sanitized against HTML/JavaScript content by tag_name_is_valid():261, which only blocks +, -, and the configured tag separator. In the tested localhost build, the injected <script> reached the DOM but execution was blocked by the application’s Content Security Policy. As a result, this is confirmed as a stored HTML/script injection sink, and may become executable XSS where CSP is absent, weakened, disabled or bypassed.
Steps To Reproduce	Log in as a low-privilege user able to create tags, such as REPORTER. Create a new issue and attach a tag with this value: <script>alert(document.domain)</script> or HTML payload <h1>hey</h1> Log in as a user with permission to delete tags, such as DEVELOPER or above. Set that user’s language to French (français). Open the tag management page. Locate the malicious tag and click Supprimer. Observe the delete confirmation page.
Additional Information	It is not just limited to French locale but others as well like English,Polish, Turkish, Japanese. Github: https://github.com/shukla304 Name: Vishal Shukla
Tags	No tags attached.
Attached Files	xss_screenshot.png (311,934 bytes)

dregad 2026-03-15 19:41 developer ~0070878	Thanks for the report @ninjasec. I confirm the vulnerability, which was introduced in 2.28.0 by MantisBT master d6890320, when the language string was modified to include the tag name (see 0022607). The problem is not language-specific, it's just that not all languages have been updated to reflect the above-mentioned change in the master English language file. I will request a CVE, and start working on the patch. I'll let you know when it's available.

dregad 2026-03-15 19:43 developer ~0070879 Last edited: 2026-03-15 19:44	As a side note, the `{{GENDER:\|\|e}}` in the language string shown on your screenshot is an incorrect translation, I'll fix that too (follow-up in 0036972) but that's independent from the security issue.

dregad 2026-03-15 20:13 developer ~0070880	GitHub security advisory opened: https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp Waiting for CVE ID assignment.

dregad 2026-03-15 20:31 developer ~0070881	The fix was quite simple, I have confirmed that it fixes the XSS. PR https://github.com/mantisbt/mantisbt-ghsa-fh48-f69w-7vmp/pull/1 is ready for review - @ninjasec your feedback is welcome. Considering that release 2.28.1 is scheduled for tomorrow around 12:00 UTC with the patch for another vulnerability, I'll probably include this one too, even if CVE is not out yet.

dregad 2026-03-15 20:36 developer ~0070882	confirmed that it fixes the XSS image.png (28,020 bytes) image.png (28,020 bytes)

ninjasec 2026-03-16 07:25 reporter ~0070884	Verified, It has been patched.

dregad 2026-03-21 19:30 developer ~0070899	CVE request re-submitted following feedback from GitHub staff.

dregad 2026-03-23 13:00 developer ~0070903	CVE-2026-33517 assigned