Moderate severityNVD Advisory· Published Nov 4, 2025· Updated Nov 6, 2025
MantisBT is Vulnerable to Denial-of-Service (DoS) attack via Excessive Note Length
CVE-2025-46556
Description
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.27.1 and below allow attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters) due to a lack of server-side validation of note length. Once such a note is added, the activity stream UI fails to render; therefore, new notes cannot be displayed, effectively breaking all future collaboration on the issue. This issue is fixed in version 2.27.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mantisbt/mantisbtPackagist | < 2.27.2 | 2.27.2 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-r3jf-hm7q-qfw5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46556ghsaADVISORY
- github.com/mantisbt/mantisbt/commit/c99a41272532ba49b5c8dccb7797afead9864234ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/commit/d5cec6bffb44d54bd412c186b9baa409b1aa4238ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/commit/e9119c68b4a0eaa0bbde3deb121e81f5f7157361ghsax_refsource_MISCWEB
- github.com/mantisbt/mantisbt/security/advisories/GHSA-r3jf-hm7q-qfw5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.