diff --git a/lib/functions/cli/utils-cli.sh b/lib/functions/cli/utils-cli.sh
index 78ec6fd3672e..30d83bf00de1 100644
--- a/lib/functions/cli/utils-cli.sh
+++ b/lib/functions/cli/utils-cli.sh
@@ -65,7 +65,7 @@ function apply_cmdline_params_to_env() {
 		if [[ -z "${!param_name+x}" ]] || [[ "${current_env_value}" != "${param_value}" ]]; then
 			display_alert "Applying cmdline param" "'$param_name': '${current_env_value_desc}' --> '${param_value_desc}' ${__my_reason}" "cmdline"
 			# use `declare -g` to make it global, we're in a function.
-			eval "declare -g $param_name=\"$param_value\""
+			declare -g "${param_name}=${param_value}"
 		else
 			# rpardini: strategic amount of spacing in log files show the kinda neuroticism that drives me.
 			display_alert "Skip     cmdline param" "'$param_name': already set to '${param_value_desc}' ${__my_reason}" "info"
diff --git a/lib/functions/configuration/change-tracking.sh b/lib/functions/configuration/change-tracking.sh
index 00f4994fa5a6..c5ed714c92b7 100644
--- a/lib/functions/configuration/change-tracking.sh
+++ b/lib/functions/configuration/change-tracking.sh
@@ -18,7 +18,13 @@ function track_config_variables() {
 
 		# if the var is an array...
 		if [[ "${array_values:-"no"}" == "yes" ]]; then
-			eval "var_value=\"\${${var_name}[@]}\"" # sorry
+			# bash nameref (local -n) creates an alias for the variable named in $var_name —
+			# no eval needed, no code-injection risk. Works for arrays and scalars alike.
+			# unset -n removes the alias only (not the referenced array) to avoid
+			# "already a nameref" warnings on the next loop iteration.
+			local -n _ct_arr_ref="${var_name}"
+			var_value="${_ct_arr_ref[*]}"
+			unset -n _ct_arr_ref
 			value_text="${blue_color:-}(${bright_blue_color:-}${var_value}${blue_color:-})"
 		else
 			var_value="${!var_name}"
diff --git a/lib/functions/configuration/interactive.sh b/lib/functions/configuration/interactive.sh
index decebd382615..3f36e00cd3ee 100644
--- a/lib/functions/configuration/interactive.sh
+++ b/lib/functions/configuration/interactive.sh
@@ -30,8 +30,8 @@ function interactive_config_prepare_terminal() {
 # $1: variable name
 # $2: variable value
 function set_interactive_config_value() {
-	eval "$1"='$2'
-	eval "ARMBIAN_INTERACTIVE_CONFIGS[${1}]"='$2'
+	declare -g "${1}=${2}"
+	ARMBIAN_INTERACTIVE_CONFIGS["${1}"]="${2}"
 }
 
 function interactive_finish() {