CVE-2026-34754
MEDIUM
Improper Access Control (CWE-284)
4.3
CVSS 3.1 · GitHub Advisory
Share
Severity by source
GitHub Advisory
PRIMARY
4.3
MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Lifecycle Timeline
1
CVE Published
May 11, 2026 - 19:33 nvd
MEDIUM 4.3
DescriptionGitHub Advisory
Impact
MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access.
Patches
- b262b4d2835b81394d75356dead66e52a6275206
Workarounds
None.
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
Analysis
Impact
MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access.
Patches
- b262b4d2835b81394d75356dead66e52a6275206
Workarounds
None.
Credits
Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).
GHSA-h4x5-gvx6-3rwc