[MEDIUM] MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API

PKSA-vg9w-dq6n-8d9w CVE-2026-34754 GHSA-h4x5-gvx6-3rwc

Affected package: mantisbt/mantisbt

Affected version: <=2.28.1

Reported by:
GitHub