CVE-2025-46556
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-46556, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-04

Last updated on: 2025-11-07

Assigner: GitHub, Inc.

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-04
Last Modified
2025-11-07
Generated
2026-07-06
AI Q&A
2025-11-04
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mantisbt mantisbt to 2.27.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Mantis Bug Tracker (MantisBT) versions 2.27.1 and below allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). The root cause is the lack of server-side validation on the length of notes. When such a long note is added, the activity stream user interface fails to render, preventing new notes from being displayed and effectively breaking all future collaboration on that issue. The issue is fixed in version 2.27.2.

Impact Analysis

The vulnerability can impact you by disrupting collaboration on issues tracked in MantisBT. Since the activity stream UI fails to render after a very long note is added, new notes cannot be displayed, which breaks all future collaboration on the affected issue. This can lead to loss of visibility into issue progress and hinder effective issue tracking and resolution.

Mitigation Strategies

Upgrade Mantis Bug Tracker to version 2.27.2 or later, as this version contains the fix for the vulnerability that allows permanent corruption of issue activity logs by submitting extremely long notes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-46556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart