CVE-2026-34754

Severity CVSS v4.0:

Pending analysis

Type:

CWE-284 Improper Access Control

Publication date:

20/05/2026

Last modified:

20/05/2026

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): Low
Availability (A): None

Base Score 3.x

4.30

Severity 3.x

MEDIUM

References to Advisories, Solutions, and Tools

https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc
https://mantisbt.org/bugs/view.php?id=36976