CVE-2026-34970 MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked

Mantis Bug Tracker MantisBT is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2...

CVE-2026-34970

Summary: CVE-2026-34970 affects MantisBT, where versions 2.28.1 and earlier allow a bugnote author to view the Revisions page of a private issue after losing access to that issue. This undermines confidentiality by exposing private issue metadata on the Revisions page. Root cause (as described): ...

GHSA-CRMX-4P49-46M2 MantisBT: Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked

MantisBT allows a bugnote author to access the note's Revisions page after losing access to the parent private issue. Impact Disclosure of the private Issue's Id and Summary. The bugnote full revision body remains secure. Patches - 71df1f67e05b2050cd4bd87839e6cc13747cf03f Workarounds None Credits...

PT-2026-39879

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker MantisBT versions prior to 2.28.2 Description A bugnote author can access the Revisions page of a note even after losing access to the parent private issue. This leads to the disclosure of the private issue's ID and summary,...

GHSA-7J8M-FM49-XGMG MantisBT Incorrect Authorization for bug_revision_view_page.php check

An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bugrevisionviewpage.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnoteid parameter...

CVE-2020-35849

An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bugrevisionviewpage.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnoteid parameter...

CVE-2020-35849

An issue was discovered in MantisBT before 2.24.4. An incorrect access check in bugrevisionviewpage.php allows an unprivileged attacker to view the Summary field of private issues, as well as bugnotes revisions, gaining access to potentially confidential information via the bugnoteid parameter...

MantisBT 安全漏洞

MantisBT is a lightweight, free and open source, web-based defect tracking system. An information disclosure vulnerability exists in MantisBT versions prior to 2.24.4. The vulnerability stems from a failure to check access to bugrevisionviewpage.php correctly. An attacker can exploit the...