MantisBT: master-2.28 b262b4d2

Diff Back to Repository
Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-03-30 13:32 master-2.28 de7bdeec
Affected Issues  0036976: CVE-2026-34754: Authorization Bypass Allows Uploading Attachments to Private Issues via REST
Changeset

Prevent unauthorized attachment upload via REST

file_allow_project_upload() has been modified to check access for
upload_bug_file_threshold against

  • project for new issues
  • bug for existing issues

Fixes 0036976, GHSA-h4x5-gvx6-3rwc
mod - core/file_api.php Diff File