Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.
Published: 2026-02-03
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via email handling
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from the use of preg_replace() with the /e modifier in bug update email handling within the PEAR framework. When attacker‑controlled content is passed to the evaluated replacement string, arbitrary PHP code can be executed. This flaw, classified as CWE‑624, allows attackers to run malicious code on the server, potentially compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

PEAR Web is affected. All installations of the PEAR framework and distribution system prior to version 1.33.0 are vulnerable. The problem exists in the bug update email handler component of the framework; no specific sub‑components are listed beyond the overall product.

Risk and Exploitability

The flaw has a CVSS score of 9.2, indicating a critical risk level. The EPSS score is below 1%, suggesting that wide‑scale exploitation is unlikely at present, and it is not yet catalogued in CISA’s KEV. Nonetheless, because the flaw permits remote code execution if an attacker can influence the content of a bug update email, the potential impact is substantial. A practical attack path could involve sending a specially crafted email that is parsed by the PEAR system, causing the /e modifier to evaluate user‑supplied code. Administrators should treat this as a high‑priority vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 00:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PEAR Web to version 1.33.0 or later
  • If upgrading is not immediately possible, remove or disable the use of preg_replace with the /e modifier in the bug update email processing code
  • As a temporary workaround, sanitize or escape user‑supplied content before it reaches the preg_replace call

Generated by OpenCVE AI on April 18, 2026 at 00:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pear
Pear pearweb
Vendors & Products Pear
Pear pearweb

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.
Title PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails
Weaknesses CWE-624
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pear Pearweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T20:21:50.253Z

Reserved: 2026-01-30T14:44:47.329Z

Link: CVE-2026-25237

cve-icon Vulnrichment

Updated: 2026-02-04T20:21:46.580Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:24.867

Modified: 2026-02-05T18:05:46.980

Link: CVE-2026-25237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses