Go ahead and download the release from our website.
In order to stay up to date with the latest MantisBT news, please star our GitHub repository, join our Gitter channel, or follow us on X or Mastodon and retweet to spread the word!
Note that MantisBT 2.27 is only compatible with PHP up to version 8.3. Upcoming 2.28.0 release will bring support for PHP 8.4 and later.
MantisBT 2.27.2
Maintenance and security release addressing 4 vulnerabilities:
- CVE-2025-47776 (GHSA-4v8w-gg5j-ph37): Authentication bypass for some passwords due to PHP type juggling, thanks to Harry Sintonen (@piru) / Reversec
- CVE-2025-46556 (GHSA-r3jf-hm7q-qfw5): Denial-of-Service (DoS) via Excessive Note Length, thanks to Mazen Mahmoud (@TheAmazeng)
- CVE-2025-55155 (GHSA-q747-c74m-69pr): Lack of verification when changing a user’s email address, thanks to Chaitanya Reddy (@ncrcs)
- CVE-2025-62520 (GHSA-g582-8vwr-68h2): Ability to copy private project configurations, thanks to d3vpoo1
It also includes a score of other bug fixes and improvements. Please refer to the Change Log for details.
All installations are advised to upgrade as soon as possible.