Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.
Published: 2026-02-03
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Predictable verification token could enable unauthorized account verification
Action: Apply Patch
AI Analysis

Impact

A flaw in the PEAR framework allows attackers to predict verification hashes used in election account requests. If an attacker can guess these tokens, they may validate account requests without authorization, potentially compromising the integrity of election accounts. The weakness is a predictable random value (CWE-337).

Affected Systems

The vulnerability affects the PEAR framework, specifically versions prior to 1.33.0. All builds of pearweb before the listed patch are susceptible.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity risk. The EPSS score of less than 1% suggests that exploitation is unlikely at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via crafted HTTP requests to the election account verification endpoint, enabling an attacker to enumerate or forge valid tokens.

Generated by OpenCVE AI on April 18, 2026 at 00:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to upgrade PEAR to version 1.33.0 or later
  • If an upgrade cannot be performed immediately, disable the election account request feature or enforce additional server‑side validation to reject forged tokens
  • After applying the fix or disabling the feature, monitor application logs for unusual election account verification activity to detect any attempts to exploit the flaw

Generated by OpenCVE AI on April 18, 2026 at 00:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pear
Pear pearweb
Vendors & Products Pear
Pear pearweb

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.
Title PEAR Has a Predictable Verification Hash in Election Account Requests
Weaknesses CWE-337
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pear Pearweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T20:34:59.115Z

Reserved: 2026-01-30T14:44:47.328Z

Link: CVE-2026-25235

cve-icon Vulnrichment

Updated: 2026-02-04T20:34:55.304Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:24.210

Modified: 2026-02-05T18:07:35.470

Link: CVE-2026-25235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses