CVE-2026-33517

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker versions prior to 2.28.1

Description Mantis Bug Tracker is an open source issue tracker. A flaw exists in version 2.28.0 where improper escaping of a tag name during the display of a confirmation message when deleting a tag (via the tag delete.php script) allows an attacker to inject HTML. If Content Security Policy (CSP) settings permit, this can lead to the execution of arbitrary JavaScript. The vulnerable parameter is the tag name displayed in the confirmation message.

Recommendations Upgrade to Mantis Bug Tracker version 2.28.1 or later. As a temporary workaround, revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9. As a temporary workaround, manually edit language files to remove the sprintf placeholder %1$s from the $s tag delete message string.