Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5b3y-h1sh-uqhr
Vulnerability ID VCID-5b3y-h1sh-uqhr
Aliases CVE-2026-34744
GHSA-rmp5-5jj7-gmvf
Summary Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-281 Improper Preservation of Permissions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34744
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34744
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34744
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34744
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-rmp5-5jj7-gmvf
cvssv4 5.3 https://github.com/mantisbt/mantisbt
generic_textual MODERATE https://github.com/mantisbt/mantisbt
cvssv4 5.3 https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
generic_textual MODERATE https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
ssvc Track https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
cvssv3.1_qr MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
cvssv4 5.3 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
generic_textual MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
ssvc Track https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
cvssv4 5.3 https://mantisbt.org/bugs/view.php?id=36977
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=36977
ssvc Track https://mantisbt.org/bugs/view.php?id=36977
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-34744
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34744
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34744
https://github.com/mantisbt/mantisbt
https://nvd.nist.gov/vuln/detail/CVE-2026-34744
de7bdeec36de066235e38a77bf056917d951c84d https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
GHSA-rmp5-5jj7-gmvf https://github.com/advisories/GHSA-rmp5-5jj7-gmvf
GHSA-rmp5-5jj7-gmvf https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
view.php?id=36977 https://mantisbt.org/bugs/view.php?id=36977
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T17:19:00Z/ Found at https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T17:19:00Z/ Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=36977
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-20T17:19:00Z/ Found at https://mantisbt.org/bugs/view.php?id=36977
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34744
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02444
EPSS Score 0.00014
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:47:21.364125+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/34xxx/CVE-2026-34744.json 38.6.0