CVE-2025-46556
BaseFortify
Publication date: 2025-11-04
Last updated on: 2025-11-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mantisbt | mantisbt | to 2.27.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Mantis Bug Tracker (MantisBT) versions 2.27.1 and below allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). The root cause is the lack of server-side validation on the length of notes. When such a long note is added, the activity stream user interface fails to render, preventing new notes from being displayed and effectively breaking all future collaboration on that issue. The issue is fixed in version 2.27.2.
How can this vulnerability impact me? :
The vulnerability can impact you by disrupting collaboration on issues tracked in MantisBT. Since the activity stream UI fails to render after a very long note is added, new notes cannot be displayed, which breaks all future collaboration on the affected issue. This can lead to loss of visibility into issue progress and hinder effective issue tracking and resolution.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Mantis Bug Tracker to version 2.27.2 or later, as this version contains the fix for the vulnerability that allows permanent corruption of issue activity logs by submitting extremely long notes.