What is GHSA-h4x5-gvx6-3rwc?

GHSA-h4x5-gvx6-3rwc is a security advisory published by GitHub Security Advisories with Medium severity. MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API

Which CVE IDs does GHSA-h4x5-gvx6-3rwc cover?

GHSA-h4x5-gvx6-3rwc covers the following CVE IDs: CVE-2026-34754. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-h4x5-gvx6-3rwc?

GHSA-h4x5-gvx6-3rwc has a CVSS v3 base score of 4.3, published by GitHub Security Advisories.

Which products are affected by GHSA-h4x5-gvx6-3rwc?

GHSA-h4x5-gvx6-3rwc affects 1 product, including: composer/mantisbt/mantisbt:\u003c= 2.28.1.

GHSA-h4x5-gvx6-3rwcMediumCVSS 4.3

MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2026-34754 →

📋 Description

Impact

MantisBT allows an authenticated user to upload attachments to private Issues they are not authorized to access.

Patches

b262b4d2835b81394d75356dead66e52a6275206

Workarounds

None.

Credits

Thanks to Vishal Shukla for discovering and responsibly reporting the issue.

🎯 Affected products1

composer/mantisbt/mantisbt:<= 2.28.1

🔗 References (5)

https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc
https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206
https://mantisbt.org/bugs/view.php?id=36976
https://nvd.nist.gov/vuln/detail/CVE-2026-34754
https://github.com/advisories/GHSA-h4x5-gvx6-3rwc