CVE-2026-25237

Critical

Published: 03 February 2026

Published

03 February 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This…

issue has been patched in version 1.33.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of the preg_replace() /e modifier flaw in PEAR version 1.33.0 to eliminate arbitrary PHP code execution.

SI-10 Information Input Validation partial match

prevent

Requires validation of attacker-controlled inputs in bug update emails to prevent malicious content from reaching the vulnerable code evaluation.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables vulnerability scanning to identify the PEAR preg_replace() flaw and trigger remediation before exploitation.

Security SummaryAI

CVE-2026-25237 is a critical vulnerability in PEAR, a framework and distribution system for reusable PHP components. Prior to version 1.33.0, the bug update email handling feature improperly uses the preg_replace() function with the /e modifier, which evaluates PHP code in the replacement string. If attacker-controlled content reaches this evaluated replacement, it enables arbitrary PHP code execution on the affected server. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-624.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation occurs by injecting malicious content into bug update emails processed by the PEAR system, such as through manipulated bug reports or email inputs that trigger the flawed preg_replace() call. Successful exploitation grants full PHP code execution on the server, potentially allowing complete compromise including data theft, modification, or server takeover.

The GitHub security advisory at https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23 details the patch in PEAR version 1.33.0, which addresses the insecure use of the /e modifier. Security practitioners should upgrade to version 1.33.0 or later and review any custom email handling in PEAR deployments for similar preg_replace() patterns.

Details

CWE(s): CWE-624

Affected Products

pear

pearweb

≤ 1.33.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote unauthenticated arbitrary PHP code execution via crafted bug update emails in a public-facing PHP web framework (PEAR pearweb), directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23
Vendor Advisory · security-advisories@github.com