Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cx6p-ncwb-k3bg
Vulnerability ID VCID-cx6p-ncwb-k3bg
Aliases CVE-2026-34970
GHSA-crmx-4p49-46m2
Summary MantisBT: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked MantisBT allows a bugnote author to access the note's Revisions page after losing access to the parent private issue. ### Impact Disclosure of the private Issue's Id and Summary. The bugnote full revision body remains secure. ### Patches - 71df1f67e05b2050cd4bd87839e6cc13747cf03f ### Workarounds None ### Credits Thanks to Vishal Shukla for discovering and responsibly reporting the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34970
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34970
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34970
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-crmx-4p49-46m2
cvssv4 5.3 https://github.com/mantisbt/mantisbt
generic_textual MODERATE https://github.com/mantisbt/mantisbt
cvssv4 5.3 https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
generic_textual MODERATE https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
ssvc Track https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
cvssv3.1_qr MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
cvssv4 5.3 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
generic_textual MODERATE https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
ssvc Track https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
cvssv4 5.3 https://mantisbt.org/bugs/view.php?id=36978
generic_textual MODERATE https://mantisbt.org/bugs/view.php?id=36978
ssvc Track https://mantisbt.org/bugs/view.php?id=36978
cvssv4 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-34970
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34970
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-34970
https://github.com/mantisbt/mantisbt
https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
https://mantisbt.org/bugs/view.php?id=36978
https://nvd.nist.gov/vuln/detail/CVE-2026-34970
GHSA-crmx-4p49-46m2 https://github.com/advisories/GHSA-crmx-4p49-46m2
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:04:45Z/ Found at https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:04:45Z/ Found at https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://mantisbt.org/bugs/view.php?id=36978
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-20T13:04:45Z/ Found at https://mantisbt.org/bugs/view.php?id=36978
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34970
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0309
EPSS Score 0.00015
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:00:58.694416+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-crmx-4p49-46m2/GHSA-crmx-4p49-46m2.json 38.6.0