PT-2026-60357 · Packagist · Mantisbt/Mantisbt

CVE-2026-49273

·

Publicado

2026-07-15

·

Atualizado

2026-07-15

CVSS v4.0

8.6

Alta

VetorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
MantisBT 2.28.3 and earlier contains a remote code execution vulnerability in the admin "Manage Configuration" feature (adm config set.php). When setting a configuration value with a non-string type (integer, float, complex), the value is passed through ConfigParser -> Tokenizer, which calls eval() with a return; prefix intended to prevent code execution.
However, PHP hoists function and class declarations at compile time, even past a return statement. An attacker can define a class in the eval()'d code that hijacks a class loaded later via PHP's autoloader, achieving arbitrary code execution.
This vulnerability requires administrator access to the web UI (adm config set.php). The REST API's ConfigsSetCommand does NOT use Tokenizer/eval() and is not affected.

Impact

  • Remote code execution as the web server user (www-data) from an authenticated administrator session

Patches

Workarounds

None.

Resources

Credits

McCaulay Hudson (@ McCaulay) of watchTowr

Correção

Eval Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-49273
GHSA-V84X-QVHG-F36R

Produtos afetados

Mantisbt/Mantisbt