EUVD-2026-14525
GHSA-73vx-49mv-v8w5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline (my_view_page.php) allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has been renamed or deleted. Version 2.28.1 contains a patch. Workarounds include editing offending History entries (using SQL) and wrapping `$this->tag_name` in a string_html_specialchars() call in IssueTagTimelineEvent::html().
Analysis
MantisBT version 2.28.0 contains a stored cross-site scripting (XSS) vulnerability in the Timeline view of my_view_page.php where tag names are improperly escaped when retrieved from the History table, allowing attackers to inject arbitrary HTML and potentially execute JavaScript if Content Security Policy permits. This affects users viewing issues with renamed or deleted tags, and version 2.28.1 contains the patch. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today