MantisBT: master-2.28 78c0af63

Author Committer Branch Timestamp Parent
dregad dregad master-2.28 2026-05-25 07:01 master-2.28 e7041ecc
Affected Issues  0037122: CVE-2026-49273: Remote Code Execution via `eval()` Class Hoisting in Admin Configuration Set
Changeset

Remove use of eval() in Tokenizer class

eval() was used to check syntax but the safeguard still allowed code
injection because PHP evaluates classes and functions at compile time.

Leveraging the autoloader, an attacker could achieve remote code
execution by defining a rogue ConfigsSetCommand class.

We now rely on token_get_all()'s TOKEN_PARSE flag 1 to check syntax,
which will throw a ParseError exception just like eval() does, but
without executing the code.

Fixes 0037122, GHSA-v84x-qvhg-f36r

mod - core/classes/Tokenizer.class.php Diff File