Headline
GHSA-r3jf-hm7q-qfw5: MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:
Impact
- The entire activity stream becomes unviewable (UI fails to render).
- New notes cannot be displayed, effectively breaking all future collaboration on the issue.
Patches
Fixed in 2.27.2.
Workarounds
None
Credits
Thanks to Mazen Mahmoud (@TheAmazeng) for reporting the vulnerability.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-46556
MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
Moderate severity GitHub Reviewed Published Nov 1, 2025 in mantisbt/mantisbt • Updated Nov 3, 2025
Package
composer mantisbt/mantisbt (Composer)
Affected versions
< 2.27.2
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:
Impact
- The entire activity stream becomes unviewable (UI fails to render).
- New notes cannot be displayed, effectively breaking all future collaboration on the issue.
Patches
Fixed in 2.27.2.
Workarounds
None
Credits
Thanks to Mazen Mahmoud (@TheAmazeng) for reporting the vulnerability.
References
- GHSA-r3jf-hm7q-qfw5
- mantisbt/mantisbt@c99a412
- mantisbt/mantisbt@d5cec6b
- mantisbt/mantisbt@e9119c6
Published to the GitHub Advisory Database
Nov 3, 2025