MantisBT 2.27.1: Unauthorized Retrieval via manage_config_columns_page.php
CVE-2025-62520 Published on November 4, 2025
MantisBT unauthorized disclosure of private project column configuration
Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manage_config_columns_page.php can use the Copy From action to retrieve the columns configuration from a private project they have no access to. This issue is fixed in version 2.27.2.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-62520 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-62520
Want to know whenever a new CVE is published for MantisBT? stack.watch will email you.
Affected Versions
mantisbt Version < 2.27.2 is affected by CVE-2025-62520Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.