{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/class-hoisting/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MantisBT (\u003c= 2.28.3)"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","web-application","php","class-hoisting","mantisbt","xss","web-vulnerability"],"_cs_type":"advisory","_cs_vendors":["MantisBT"],"content_html":"\u003cp\u003eA critical remote code execution vulnerability, tracked as CVE-2026-49273, has been discovered in MantisBT versions 2.28.3 and earlier. This flaw exists within the \u0026quot;Manage Configuration\u0026quot; feature (accessible via \u003ccode\u003eadm_config_set.php\u003c/code\u003e) which is part of the administrative web UI. The vulnerability arises when an authenticated administrator attempts to set a configuration value of a non-string type (such as an integer or float). Although the application uses \u003ccode\u003eeval()\u003c/code\u003e with a \u003ccode\u003ereturn;\u003c/code\u003e prefix to prevent immediate code execution, PHP's compile-time behavior of hoisting class and function declarations bypasses this safeguard. An attacker can craft a malicious input that defines a class, which is then hoisted and can hijack a legitimate class loaded later by PHP's autoloader, leading to arbitrary code execution as the web server user. This vulnerability specifically requires administrator access to the web UI; the REST API and its \u003ccode\u003eConfigsSetCommand\u003c/code\u003e are not affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker obtains valid administrator credentials for the MantisBT web UI, typically through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Configuration Interface\u003c/strong\u003e: The attacker logs into the MantisBT web UI and navigates to the \u0026quot;Manage Configuration\u0026quot; page (\u003ccode\u003eadm_config_set.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Payload\u003c/strong\u003e: The attacker prepares a PHP code payload that defines a malicious class, designed to exploit PHP's class hoisting mechanism.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInject Payload\u003c/strong\u003e: The attacker submits a POST request to \u003ccode\u003eadm_config_set.php\u003c/code\u003e, setting a configuration value to the malicious PHP class definition, ensuring it is treated as a non-string type.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer-Side Processing\u003c/strong\u003e: MantisBT's \u003ccode\u003eConfigParser -\u0026gt; Tokenizer\u003c/code\u003e component processes the input, calling \u003ccode\u003eeval()\u003c/code\u003e on the provided configuration value.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClass Hoisting Bypass\u003c/strong\u003e: Despite the \u003ccode\u003ereturn;\u003c/code\u003e prefix in the \u003ccode\u003eeval()\u003c/code\u003e call, PHP hoists the attacker-defined class at compile time.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClass Hijacking and Execution\u003c/strong\u003e: The hoisted malicious class can then hijack a legitimate class that MantisBT subsequently attempts to load via its autoloader. This allows the attacker to execute arbitrary PHP code as the underlying web server user (e.g., \u003ccode\u003ewww-data\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation\u003c/strong\u003e: The attacker gains full control over the MantisBT installation, potentially leading to data exfiltration, defacement, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-49273 results in remote code execution as the web server user, which typically has privileges to read, write, and execute files within the web root and associated directories. This could lead to a complete compromise of the MantisBT application, including unauthorized access to project data, user credentials, and sensitive bug reports. Attackers could also use this access as a foothold to compromise the underlying server or other systems within the network. While the vulnerability requires authenticated administrator access, the impact is severe due to the potential for full system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-49273\u003c/strong\u003e: Immediately update all MantisBT installations to version 2.28.4 or later by applying the patch from \u003ccode\u003ehttps://github.com/mantisbt/mantisbt/commit/78c0af63d1fe0118004744cab21ca3bf2cea0f5c\u003c/code\u003e to mitigate CVE-2026-49273.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Web Server Logs\u003c/strong\u003e: Deploy the provided Sigma rule to detect suspicious POST requests to \u003ccode\u003eadm_config_set.php\u003c/code\u003e containing PHP class or function definitions. Ensure web server logs capture \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e for \u003ccode\u003ewebserver\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Administrator Activity\u003c/strong\u003e: Regularly audit logs for \u003ccode\u003eadm_config_set.php\u003c/code\u003e to identify unusual configuration changes, especially from unexpected IP addresses or at unusual times.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T18:58:02Z","date_published":"2026-07-15T16:53:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-mantisbt-rce/","summary":"A high-severity remote code execution vulnerability, CVE-2026-49273, affects MantisBT versions 2.28.3 and earlier, allowing an authenticated administrator to achieve arbitrary code execution as the web server user by leveraging PHP's class hoisting during the processing of non-string configuration values in `adm_config_set.php`.","title":"MantisBT Remote Code Execution via Class Hoisting (CVE-2026-49273)","url":"https://feed.craftedsignal.io/briefs/2026-07-mantisbt-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Class-Hoisting","version":"https://jsonfeed.org/version/1.1"}