CVE-2026-33517: Stored Cross-Site Scripting in MantisBT Tag Deletion

Mantis Bug Tracker (MantisBT) is an open-source issue tracking system that utilizes a tag-based categorization feature. Users with specific privileges can create, manage, and attach these tags to various issue reports. The vulnerability exists within the administrative interface responsible for managing these tags, specifically in the deletion workflow.

Version 2.28.0 introduced a UI enhancement that includes the specific name of the tag being deleted within the confirmation prompt. This change was implemented to provide clearer context to administrators performing destructive actions. The flaw constitutes a classic Stored Cross-Site Scripting (XSS) condition, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Because the application stores the unsanitized payload in the database and renders it in a higher-privileged user's browser context, the vulnerability bridges the privilege gap between standard users and system administrators. The attacker only requires the minimal permissions necessary to create a tag, while the payload executes with the privileges of the user performing the deletion.

The root cause of CVE-2026-33517 is the direct concatenation of user-controlled database content into an HTML response without prior output encoding. The vulnerability was introduced in commit d6890320752ecf37bd74d11fe14fe7dc12335be9 on January 6, 2025. This commit modified tag_delete.php to generate a dynamic confirmation string rather than a generic prompt.

The application calls tag_get_name($f_tag_id) to retrieve the requested tag's name from the backend database. This function retrieves the raw string exactly as it was provided by the user during the tag creation process. The software then uses the PHP sprintf() function to embed this raw string into a localized confirmation message template.

The resulting string is passed to helper_ensure_confirmed(), a core MantisBT function that renders confirmation pages. This helper function assumes that the input string is already safe for HTML rendering and outputs it directly into the Document Object Model (DOM). Since no sanitization occurs between retrieval from the database and rendering in the browser, any HTML elements present in the tag name are interpreted as executable markup.

An analysis of the vulnerable tag_delete.php file in version 2.28.0 reveals the exact path of the unsanitized data. The relevant code block is responsible for constructing the message that asks the user to confirm the deletion action.

$f_tag_id = gpc_get_int( 'tag_id' );
tag_ensure_exists( $f_tag_id );
$t_tag_row = tag_get( $f_tag_id );
$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ), tag_get_name( $f_tag_id ) );
 
helper_ensure_confirmed( $t_confirm_msg, lang_get( 'tag_delete_button' ) );

The patch implemented in commit 80990f43153167c73f11eb4b2bc7108d0c3d6b46 resolves the issue by wrapping the retrieved tag name in an output encoding function. MantisBT uses a custom wrapper function named string_html_specialchars() to perform this encoding.

--- a/tag_delete.php
+++ b/tag_delete.php
@@ -49,7 +49,9 @@
 $f_tag_id = gpc_get_int( 'tag_id' );
 tag_ensure_exists( $f_tag_id );
 $t_tag_row = tag_get( $f_tag_id );
-$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ), tag_get_name( $f_tag_id ) );
+$t_confirm_msg = sprintf( lang_get( 'tag_delete_message' ),
+	string_html_specialchars( tag_get_name( $f_tag_id ) )
+);
 
 helper_ensure_confirmed( $t_confirm_msg, lang_get( 'tag_delete_button' ) );

This fix is complete and correctly applies context-aware encoding. By converting special characters like < and > into their corresponding HTML entities (< and >), the browser interprets the payload as literal text rather than executable script.

Exploiting this vulnerability requires an attacker to possess an account with permissions to create or rename tags. In standard MantisBT configurations, this capability is typically granted to users with the 'Manager' or 'Administrator' roles, although custom configurations may grant it to lower-privileged users. The attacker authenticates to the application and accesses the tag creation interface.

The attacker submits a new tag containing a malicious JavaScript payload. A standard proof-of-concept payload such as "><script>alert(document.cookie)</script> is sufficient. The application accepts this input and stores it in the database without modification, as the primary protection mechanism in MantisBT relies on output encoding rather than input sanitization.

The execution phase occurs asynchronously when a targeted victim, typically an administrator, interacts with the compromised tag. The victim navigates to the 'Manage Tags' page and attempts to delete the suspicious tag. Upon clicking the 'Delete' button, the browser redirects to tag_delete.php, which renders the confirmation message and executes the attacker's JavaScript within the victim's session.

The primary impact of this stored XSS vulnerability is administrative session hijacking and unauthorized state modification. Because the payload executes in the context of the user deleting the tag, an attacker can leverage the victim's elevated privileges. The malicious script can silently formulate and send HTTP requests to other administrative endpoints within the MantisBT application.

Successful exploitation allows the attacker to perform any action the victim is authorized to perform. This includes creating new administrative accounts, modifying system configurations, altering issue tracker data, or extracting sensitive project information. The exploit executes transparently, and the victim observes only the standard deletion confirmation prompt.

The CVSS v4.0 base score is calculated as 8.6, reflecting the high impact on confidentiality, integrity, and availability within the vulnerable system. A discrepancy exists between the CVSS v4.0 and v3.1 scoring regarding the 'Privileges Required' metric. The v4.0 score assumes low privileges are required based on permissive tag creation configurations, while the v3.1 score evaluates it based on default configurations where higher privileges are typically needed.

The definitive remediation for CVE-2026-33517 is upgrading the MantisBT installation to version 2.28.1. This release contains the patch that introduces proper HTML output encoding in the tag_delete.php workflow. Administrators should schedule this upgrade immediately if untrusted users hold tag creation permissions.

Organizations unable to patch immediately can apply several operational workarounds. The most direct method is manually applying the diff provided in commit 80990f43153167c73f11eb4b2bc7108d0c3d6b46 to the tag_delete.php file on the web server. Alternatively, administrators can modify the localized string file (e.g., lang/strings_english.txt) by removing the %1$s formatting placeholder from the $s_tag_delete_message variable, which prevents the tag name from being rendered.

> [!NOTE] > Implementing a strict Content Security Policy (CSP) provides defense-in-depth against this and similar XSS vulnerabilities.

Configuring the web server to send a CSP header that omits the 'unsafe-inline' directive neutralizes the vulnerability. When the browser receives the injected <script> tags, the CSP engine blocks their execution and logs a policy violation, thereby preventing the exploit from functioning even if the vulnerable code is executed.