Advanced Threat Data Export
Filter and download the raw CVE repository (CSV/JSON) for SIEM integration and internal reporting.
Data export is locked. Upgrade your package to enable filtering and downloading.
β Back to CVE List
CVE-2026-33517NVD
Description
Improper escaping of Tag name when deleting it in tag_delete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript.
### Impact
Cross-site scripting (XSS).
### Patches
80990f43153167c73f11eb4b2bc7108d0c3d6b46
### Workarounds
* Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9
* Manually edit language files to remove the sprintf placeholder `%1$s` from *$s_tag_delete_message* string, for example with `sed -r -i '/tag_delete_message/s/.%1\$s.//' -- lang/`
### Credits
MantisBT hanks Vishal Shukla for discovering and responsibly reporting the issue.
### Impact
Cross-site scripting (XSS).
### Patches
80990f43153167c73f11eb4b2bc7108d0c3d6b46
### Workarounds
* Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9
* Manually edit language files to remove the sprintf placeholder `%1$s` from *$s_tag_delete_message* string, for example with `sed -r -i '/tag_delete_message/s/.%1\$s.//' -- lang/`
### Credits
MantisBT hanks Vishal Shukla for discovering and responsibly reporting the issue.