{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25233", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-30T14:44:47.328Z", "datePublished": "2026-02-03T18:29:13.336Z", "dateUpdated": "2026-02-04T21:14:41.218Z"}, "containers": {"cna": {"title": "PEAR Has a Roadmap Authorization Bypass via Operator Precedence Bug", "problemTypes": [{"descriptions": [{"cweId": "CWE-783", "lang": "en", "description": "CWE-783: Operator Precedence Logic Error", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3"}], "affected": [{"vendor": "pear", "product": "pearweb", "versions": [{"version": "< 1.33.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:29:13.336Z"}, "descriptions": [{"lang": "en", "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0."}], "source": {"advisory": "GHSA-p92v-9j73-fxx3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T21:14:35.359296Z", "id": "CVE-2026-25233", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:14:41.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25233", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T21:14:35.359296Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T21:14:38.737Z"}}], "cna": {"title": "PEAR Has a Roadmap Authorization Bypass via Operator Precedence Bug", "source": {"advisory": "GHSA-p92v-9j73-fxx3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "pear", "product": "pearweb", "versions": [{"status": "affected", "version": "< 1.33.0"}]}], "references": [{"url": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3", "name": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-783", "description": "CWE-783: Operator Precedence Logic Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:29:13.336Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25233", "state": "PUBLISHED", "dateUpdated": "2026-02-04T21:14:41.218Z", "dateReserved": "2026-01-30T14:44:47.328Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T18:29:13.336Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C609AFE-4E3A-4103-9AA0-9CEA5D0D87AD", "versionEndExcluding": "1.33.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0."}], "id": "CVE-2026-25233", "lastModified": "2026-02-05T18:09:05.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T19:16:22.980", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-783"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:35:03.995303+00:00", "value": {"mitigation_remediation": ["Upgrade PEAR pearweb to version 1.33.0 or later to apply the official patch that fixes the operator precedence bug in the roadmap role check.", "If an immediate upgrade is not possible, restrict roadmap creation, modification, and deletion privileges to lead maintainers only by reviewing and tightening role assignments in the application configuration.", "Enable detailed logging for roadmap creation, update, and deletion actions to detect unauthorized modifications and trigger alerts."], "summary": {"action": "Immediate Patch", "impact": "Authorization bypass enabling unauthorized modification of roadmaps"}, "threat_synthesis": {"affected_systems": "The issue affects the PEAR framework and distribution system for reusable PHP components, specifically the pearweb product from vendor pear. Versions prior to 1.33.0 are vulnerable; all releases 1.33.0 and newer have the fix applied.", "description_and_impact": "A logic flaw in PEAR\u2019s roadmap authorization check, triggered by operator precedence, allows authenticated users who are not lead maintainers to gain full control over roadmap creation, updates, and deletion. The vulnerability is a classic example of CWE\u2011783: insecure permissions or access control. An attacker with access to the application can therefore alter project plans, introduce erroneous information, or delete critical roadmap data, potentially leading to loss of integrity and availability for project stakeholders.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates a high severity vulnerability, but EPSS shows a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, the attack vector appears to be local to the web application; an authenticated non-lead user can execute the exploit simply by creating or manipulating a roadmap, as no additional conditions are required beyond legitimate credentials."}}}}, "created": "2026-02-04T12:08:53.255866+00:00", "updated": "2026-04-18T18:45:05.749373+00:00", "vendors": ["pear", "pear$PRODUCT$pearweb"]}