CVE-2025-46556: 
PHP vulnerability analysis and mitigation

MantisBT versions 2.27.1 and below contain a vulnerability that allows attackers to cause a Denial-of-Service (DoS) condition through excessive note length submissions. The vulnerability was discovered in November 2025 and assigned CVE-2025-46556. The issue affects the bug tracking system's note submission functionality and has been patched in version 2.27.2 (GitHub Advisory, Miggo Database).

The vulnerability stems from a lack of server-side validation for note length in MantisBT. Attackers can exploit this by submitting extremely long notes (tested with 4,788,761 characters) to corrupt issue activity logs. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-770 (Allocation of Resources Without Limits or Throttling) (GitHub Advisory).

When successfully exploited, the vulnerability causes the entire activity stream to become unviewable as the UI fails to render. Additionally, new notes cannot be displayed, effectively breaking all future collaboration on the affected issue. This creates a permanent denial of service condition for the specific issue's activity logs (GitHub Advisory).

The vulnerability has been fixed in MantisBT version 2.27.2. Users are advised to upgrade to this version or later. No temporary workarounds are available for this vulnerability (GitHub Advisory).