CVE-2026-25237 PUBLISHED

PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails

Assigner: GitHub_M
Reserved: 30.01.2026 Published: 03.02.2026 Updated: 03.02.2026

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.2

Product Status

Vendor pear
Product pearweb
Versions
  • Version < 1.33.0 is affected

References

Problem Types

  • CWE-624: Executable Regular Expression Error CWE