Mantis 2.27.3
3 November 2025
Mantis version 2.27.3 is now available (security release).
Upgrading to Mantis 2.27.3
Mantis 2.27.3 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Mantis updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Mantis install to test the 2.27.3 upgrade prior to applying it live. Get started managing your Mantis installations with Installatron
What's New in Mantis 2.27.3
2.27.3
Hotfix release addressing a couple of regression issues affecting Admin Checks introduced by 2.27.2.
Bug Fixes
- 0036619: [administration] Most Admin Checks are disabled in 2.27.2 (dregad)
- 0036620: [administration] PHP Fatal error in Admin Checks of custom fields (atrol)
2.27.2
Maintenance and security release addressing 4 vulnerabilities, fixing several bugs and including a few minor improvements, Many thanks to Harry Sintonen / Reversec for CVE-2025-47776 (GHSA-4v8w-gg5j-ph37), Mazen Mahmoud for CVE-2025-46556 (GHSA-r3jf-hm7q-qfw5), Chaitanya Reddy for CVE-2025-55155 (GHSA-q747-c74m-69pr) and d3vpoo1 for CVE-2025-62520 (GHSA-g582-8vwr-68h2).
Security
- 0036502: [security] CVE-2025-62520: Ability to copy private project configurations (Columns) (atrol)
- 0036005: [security] CVE-2025-55155: Lack of verification when changing a user's email address (dregad)
- 0035893: [security] CVE-2025-46556: Denial-of-Service (DoS) via Excessive Note Length (dregad)
Bug Fixes and Changes
- 0035906: [db schema] Update ADOdb to 5.22.10 (dregad)
- 0036540: [bugtracker] Introduce a maximum PHP version (dregad)
- 0035915: [administration] Updating a global config yields incorrect error message (dregad)
- 0036164: [administration] Impossible to delete a global config defined in the database (dregad)
- 0035668: [api rest] can't change issue category to "no category" via rest api (dregad)
- 0036269: [bugtracker] Collapsed status for "Users monitoring" section is not persisted (dregad)
- 0036265: [feature] Search with collapsed filter section expands it (dregad)
- 0036263: [administration] Error editing categories with PostgreSQL: APPLICATION ERROR 401 (dregad)
- 0036515: [administration] Hardcoded role instead of config in access level check on Manage Columns page (dregad)
- 0036542: [bugtracker] When editing a bugnote, a newline is appended to the text (dregad)
- 0036512: [other] Access Denied page returns HTTP status 200 (dregad)
- 0035854: [tools] PHPUnit assertObjectHasAttribute() method is deprecated (dregad)
- 0035853: [tools] PHPUnit tests RestFiltersTest fail when anonymous access is disabled (dregad)
- 0035852: [api rest] REST API GET /filters throws deprecation warning on PHP 8.1 (dregad)
- 0036503: [bugtracker] Ability to change the default project of a user (dregad)
- 0036257: [bugtracker] Deleted notes not showing in bug history (dregad)
- 0036535: [code cleanup] Custom Field admin checks refactoring (dregad)
- 0021675: [ui] Incorrect positioning of "View Issue Details" when recalled from "Direct link to note" (dregad)
- 0035967: [authentication] CVE-2025-47776: Authentication bypass for some passwords due to PHP type juggling (dregad)