GHSA-v84x-qvhg-f36rHigh

MantisBT: Remote Code Execution via eval() Class Hoisting in adm_config_set.php

Published
July 15, 2026
Last Modified
July 15, 2026

🔗 CVE IDs covered (1)

📋 Description

MantisBT 2.28.3 and earlier contains a remote code execution vulnerability in the admin "Manage Configuration" feature (adm_config_set.php). When setting a configuration value with a non-string type (integer, float, complex), the value is passed through ConfigParser -> Tokenizer, which calls eval() with a return; prefix intended to prevent code execution.

However, PHP hoists function and class declarations at compile time, even past a return statement. An attacker can define a class in the eval()'d code that hijacks a class loaded later via PHP's autoloader, achieving arbitrary code execution.

This vulnerability requires administrator access to the web UI (adm_config_set.php). The REST API's ConfigsSetCommand does NOT use Tokenizer/eval() and is not affected.

Impact

  • Remote code execution as the web server user (www-data) from an authenticated administrator session

Patches

  • https://github.com/mantisbt/mantisbt/commit/78c0af63d1fe0118004744cab21ca3bf2cea0f5c

Workarounds

None.

Resources

  • https://mantisbt.org/bugs/view.php?id=37122

Credits

McCaulay Hudson (@_McCaulay) of watchTowr

🎯 Affected products1

  • composer/mantisbt/mantisbt:>= 1.3.0, <= 2.28.3

🔗 References (4)