← back
CVE-2026-34754

MantisBT allows unauthorized users to upload attachments to restricted issues via REST API

CVSS 4.3 MEDIUMEPSS 0.2%CWE-284
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products
mantisbt · mantisbt

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwchttps://mantisbt.org/bugs/view.php?id=36976