MantisBT: master-2.28 78c0af63
| Author | Committer | Branch | Timestamp | Parent |
|---|---|---|---|---|
| dregad | dregad | master-2.28 | 2026-05-25 07:01 | master-2.28 e7041ecc |
| Affected Issues | 0037122: CVE-2026-49273: Remote Code Execution via `eval()` Class Hoisting in Admin Configuration Set | |||
| Changeset | Remove use of eval() in Tokenizer class eval() was used to check syntax but the safeguard still allowed code Leveraging the autoloader, an attacker could achieve remote code We now rely on token_get_all()'s TOKEN_PARSE flag 1 to check syntax, Fixes 0037122, GHSA-v84x-qvhg-f36r |
|||
| mod - core/classes/Tokenizer.class.php | Diff File | |||