VulnerableCode Package Details - pkg:composer/mantisbt/mantisbt@2.27.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-843s-1vx7-nueb Aliases: CVE-2026-30849 GHSA-phrq-pc6r-f6gh	MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL Mantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. ### Impact Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. ### Patches * b349e5c890eeda9bd82e7c7e14479853f8a30d9f ### Workarounds - [Disabling the SOAP API](https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable) significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name. ### Resources - https://mantisbt.org/bugs/view.php?id=36902 ### Credits MantisBT thanks Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.	2.28.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-8wux-1k2d-sbam Aliases: CVE-2025-55155 GHSA-q747-c74m-69pr	MantisBT lacks verification when changing a user's email address When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user.	2.27.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-d3yt-mkwe-33hu Aliases: CVE-2025-46556 GHSA-r3jf-hm7q-qfw5	MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:	2.27.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-n3nu-aawj-s7af Aliases: CVE-2025-47776 GHSA-4v8w-gg5j-ph37	MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. [1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782	2.27.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-yhf6-qthy-nqb2 Aliases: CVE-2025-62520 GHSA-g582-8vwr-68h2	MantisBT unauthorized disclosure of private project column configuration Due to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project managers having MANAGER role) can use the _Copy From_ action to retrieve the columns configuration from a private project they have no access to. Access to the reverse operation (_Copy To_) is correctly controlled, i.e. it is not possible to alter the private project's configuration.	2.27.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-843s-1vx7-nueb
Aliases:
CVE-2026-30849
GHSA-phrq-pc6r-f6gh

MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL Mantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion from string to integer. ### Impact Using a crafted SOAP envelope, an attacker knowing the victim's username is able to login to the SOAP API with their account without knowledge of the actual password, and execute any API function they have access to. ### Patches * b349e5c890eeda9bd82e7c7e14479853f8a30d9f ### Workarounds - [Disabling the SOAP API](https://mantisbt.org/docs/master/en-US/Admin_Guide/html-desktop/#admin.config.api.disable) significantly reduces the risk, but still allows the attacker to retrieve user account information including email address and real name. ### Resources - https://mantisbt.org/bugs/view.php?id=36902 ### Credits MantisBT thanks Alexander Philiotis of SynerComm for discovering and responsibly reporting the issue.

2.28.1
Affected by 1 other vulnerability.

VCID-8wux-1k2d-sbam
Aliases:
CVE-2025-55155
GHSA-q747-c74m-69pr

MantisBT lacks verification when changing a user's email address When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user.

2.27.2
Affected by 1 other vulnerability.

VCID-d3yt-mkwe-33hu
Aliases:
CVE-2025-46556
GHSA-r3jf-hm7q-qfw5

MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely long notes (tested with 4,788,761 characters). Once such a note is added:

2.27.2
Affected by 1 other vulnerability.

VCID-n3nu-aawj-s7af
Aliases:
CVE-2025-47776
GHSA-4v8w-gg5j-ph37

MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpretation of certain MD5 hashes as numbers, specifically those matching scientific notation. [1]: https://github.com/mantisbt/mantisbt/blob/0fb502dd613991e892ed2224ac5ea3e40ba632bc/core/authentication_api.php#L782

2.27.2
Affected by 1 other vulnerability.

VCID-yhf6-qthy-nqb2
Aliases:
CVE-2025-62520
GHSA-g582-8vwr-68h2

MantisBT unauthorized disclosure of private project column configuration Due to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project managers having MANAGER role) can use the _Copy From_ action to retrieve the columns configuration from a private project they have no access to. Access to the reverse operation (_Copy To_) is correctly controlled, i.e. it is not possible to alter the private project's configuration.

2.27.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:33:34.624525+00:00	GitLab Importer	Affected by	VCID-843s-1vx7-nueb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2026-30849.yml	38.6.0
2026-06-06T06:19:09.044665+00:00	GitLab Importer	Affected by	VCID-8wux-1k2d-sbam	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2025-55155.yml	38.6.0
2026-06-06T06:19:08.560978+00:00	GitLab Importer	Affected by	VCID-yhf6-qthy-nqb2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2025-62520.yml	38.6.0
2026-06-06T06:19:08.075141+00:00	GitLab Importer	Affected by	VCID-n3nu-aawj-s7af	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2025-47776.yml	38.6.0
2026-06-06T06:19:07.296254+00:00	GitLab Importer	Affected by	VCID-d3yt-mkwe-33hu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/mantisbt/mantisbt/CVE-2025-46556.yml	38.6.0