{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25237", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-30T14:44:47.329Z", "datePublished": "2026-02-03T18:29:54.001Z", "dateUpdated": "2026-02-04T20:21:50.253Z"}, "containers": {"cna": {"title": "PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails", "problemTypes": [{"descriptions": [{"cweId": "CWE-624", "lang": "en", "description": "CWE-624: Executable Regular Expression Error", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23"}], "affected": [{"vendor": "pear", "product": "pearweb", "versions": [{"version": "< 1.33.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:29:54.001Z"}, "descriptions": [{"lang": "en", "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0."}], "source": {"advisory": "GHSA-vhw6-hqh9-8r23", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T20:21:43.501877Z", "id": "CVE-2026-25237", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:21:50.253Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T20:21:43.501877Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T20:21:46.580Z"}}], "cna": {"title": "PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails", "source": {"advisory": "GHSA-vhw6-hqh9-8r23", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pear", "product": "pearweb", "versions": [{"status": "affected", "version": "< 1.33.0"}]}], "references": [{"url": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23", "name": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-624", "description": "CWE-624: Executable Regular Expression Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T18:29:54.001Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25237", "state": "PUBLISHED", "dateUpdated": "2026-02-04T20:21:50.253Z", "dateReserved": "2026-01-30T14:44:47.329Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T18:29:54.001Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C609AFE-4E3A-4103-9AA0-9CEA5D0D87AD", "versionEndExcluding": "1.33.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0."}], "id": "CVE-2026-25237", "lastModified": "2026-02-05T18:05:46.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T19:16:24.867", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-624"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:09:38.577533+00:00", "value": {"mitigation_remediation": ["Upgrade PEAR Web to version 1.33.0 or later", "If upgrading is not immediately possible, remove or disable the use of preg_replace with the /e modifier in the bug update email processing code", "As a temporary workaround, sanitize or escape user\u2011supplied content before it reaches the preg_replace call"], "summary": {"action": "Patch Now", "impact": "Remote Code Execution via email handling"}, "threat_synthesis": {"affected_systems": "PEAR Web is affected. All installations of the PEAR framework and distribution system prior to version 1.33.0 are vulnerable. The problem exists in the bug update email handler component of the framework; no specific sub\u2011components are listed beyond the overall product.", "description_and_impact": "The vulnerability arises from the use of preg_replace() with the /e modifier in bug update email handling within the PEAR framework. When attacker\u2011controlled content is passed to the evaluated replacement string, arbitrary PHP code can be executed. This flaw, classified as CWE\u2011624, allows attackers to run malicious code on the server, potentially compromising confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The flaw has a CVSS score of 9.2, indicating a critical risk level. The EPSS score is below 1%, suggesting that wide\u2011scale exploitation is unlikely at present, and it is not yet catalogued in CISA\u2019s KEV. Nonetheless, because the flaw permits remote code execution if an attacker can influence the content of a bug update email, the potential impact is substantial. A practical attack path could involve sending a specially crafted email that is parsed by the PEAR system, causing the /e modifier to evaluate user\u2011supplied code. Administrators should treat this as a high\u2011priority vulnerability."}}}}, "created": "2026-02-04T12:05:36.356426+00:00", "updated": "2026-04-18T00:15:31.789008+00:00", "vendors": ["pear", "pear$PRODUCT$pearweb"]}