Input Validation Flaw in Mantis Bug Tracker Allows Log Corruption
CVE-2025-46556

6.5MEDIUM

Key Information:

Vendor

Mantisbt

Status
Mantisbt
Vendor
CVE Published:
4 November 2025

What is CVE-2025-46556?

Mantis Bug Tracker, a prominent open-source issue tracking tool, suffers from an input validation issue that allows malicious users to permanently corrupt issue activity logs. By submitting excessively long notes—tested with up to 4,788,761 characters—users can exploit the absence of server-side verification for input length, resulting in the failure of the activity stream UI to render. This prevents the display of subsequent notes, effectively hindering all collaboration on the affected issues. The issue has been resolved in version 2.27.2, emphasizing the importance of updating to enhance system security.

Affected Version(s)

mantisbt < 2.27.2

References

https://github.com/mantisbt/mantisbt/security/advisories/...
x_refsource_CONFIRM
https://github.com/mantisbt/mantisbt/commit/c99a41272532b...
x_refsource_MISC
https://github.com/mantisbt/mantisbt/commit/d5cec6bffb44d...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.