Incorrect Comparison Affecting mantisbt/mantisbt package, versions <2.27.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-MANTISBTMANTISBT-13831414
- published4 Nov 2025
- disclosed3 Nov 2025
- creditHarry Sintonen
Introduced: 3 Nov 2025
NewCVE-2025-47776 (opens in a new tab)How to fix?
Upgrade mantisbt/mantisbt to version 2.27.2 or higher.
Overview
mantisbt/mantisbt is a mantis bug tracker.
Affected versions of this package are vulnerable to Incorrect Comparison via the authentication_api.php process. An attacker can gain unauthorized access to user accounts by exploiting PHP type juggling in the authentication logic, allowing login with any password that produces a hash matching a specific pattern. This is only exploitable if the instance is configured to use the MD5 login method and the user's password hash matches the regex ^0+[Ee][0-9]+$.
Workaround
This vulnerability can be mitigated by checking the database for accounts with vulnerable password hashes and changing those users' passwords.