CVE-2026-34754

MantisBT allows unauthorized users to upload attachments to restricted issues via REST API

CVSS 4.3 MEDIUMEPSS 0.2%CWE-284

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Produtos afetados

mantisbt · mantisbt

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc https://mantisbt.org/bugs/view.php?id=36976