CVE-2026-33548

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my view page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping $this->tag name in a string html specialchars() call in IssueTagTimelineEvent::html().