Detections
Analytics

CVE-2026-34744

medium

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.

References

https://mantisbt.org/bugs/view.php?id=36977

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf

https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d

Details

Source: Mitre, NVD

Published: 2026-05-19

Updated: 2026-05-20

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

CVSS v4

Base Score: 5.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: Medium

EPSS

EPSS: 0.00036