CVE-2025-46556
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-04

Last updated on: 2025-11-07

Assigner: GitHub, Inc.

Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-04
Last Modified
2025-11-07
Generated
2026-06-16
AI Q&A
2025-11-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-46556
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mantisbt mantisbt to 2.27.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Mantis Bug Tracker (MantisBT) versions 2.27.1 and below allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). The root cause is the lack of server-side validation on the length of notes. When such a long note is added, the activity stream user interface fails to render, preventing new notes from being displayed and effectively breaking all future collaboration on that issue. The issue is fixed in version 2.27.2.

Impact Analysis

The vulnerability can impact you by disrupting collaboration on issues tracked in MantisBT. Since the activity stream UI fails to render after a very long note is added, new notes cannot be displayed, which breaks all future collaboration on the affected issue. This can lead to loss of visibility into issue progress and hinder effective issue tracking and resolution.

Mitigation Strategies

Upgrade Mantis Bug Tracker to version 2.27.2 or later, as this version contains the fix for the vulnerability that allows permanent corruption of issue activity logs by submitting extremely long notes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-46556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart