CVE-2025-55155

5.4 MEDIUM
Published: November 04, 2025 Modified: November 10, 2025
View on NVD

Description

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing the user from receiving system notifications. Notifications sent to another person's email address could lead to information disclosure. This issue is fixed in version 2.27.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/mantisbt/mantisbt/commit/21e9fbedde8553c29c0d3156e84f78157fc4f22e
Source: security-advisories@github.com
Patch
https://github.com/mantisbt/mantisbt/security/advisories/GHSA-q747-c74m-69pr
Source: security-advisories@github.com
Issue Tracking Vendor Advisory
https://mantisbt.org/bugs/view.php?id=36005
Source: security-advisories@github.com
Exploit Issue Tracking Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.0%
4th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-201 CWE-354

Affected Vendors

mantisbt

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A