CVE-2026-33517
The CVE-2026-33517 entry concerns MantisBT 2.28.0, where deleting a Tag (tag_delete.php) allows stored HTML injection due to improper escaping in the confirmation message. This can enable arbitrary JavaScript execution if CSP settings permit. The issue is fixed in version 2.28.1. Workarounds incl...