Login Sign Up

CVE-2026-25237

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in PEAR (PHP Extension and Application Repository) allows remote code execution when attacker-controlled content reaches the preg_replace() function with the /e modifier in bug update email handling. It affects all PEAR installations prior to version 1.33.0. Attackers could execute arbitrary PHP code on vulnerable systems.

💻 Affected Systems

Products:
  • PEAR (PHP Extension and Application Repository)
Versions: All versions prior to 1.33.0
Operating Systems: All operating systems running PHP with PEAR
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the bug update email handling functionality in pearweb. Requires attacker-controlled content to reach the vulnerable preg_replace() call.

📦 What is this software?

Pearweb by Pear

View all CVEs affecting Pearweb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary PHP code, access sensitive data, install backdoors, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to web shell installation, data exfiltration, or service disruption.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though the core vulnerability remains.

🌐 Internet-Facing: HIGH - PEAR components are often used in web applications accessible from the internet, making exploitation straightforward.
🏢 Internal Only: MEDIUM - Internal systems using vulnerable PEAR versions could be compromised through internal attacks or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in a widely used PHP component and exploitation is straightforward once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.33.0

Vendor Advisory: https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23

Restart Required: No

Instructions:

1. Update PEAR to version 1.33.0 or later using: pear upgrade pear
2. Verify the update completed successfully
3. Test functionality to ensure no breaking changes

🔧 Temporary Workarounds

Disable bug update email functionality

all

Temporarily disable the vulnerable bug update email handling feature if not required

# Modify PEAR configuration to disable bug update emails
# Check pearweb configuration files for email-related settings

Input validation and sanitization

all

Implement strict input validation and output encoding for any content that reaches the vulnerable function

# Add input validation in PHP code:
# filter_var($input, FILTER_SANITIZE_STRING);
# htmlspecialchars($input, ENT_QUOTES, 'UTF-8');

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block suspicious patterns in email handling requests
  • Restrict network access to systems using vulnerable PEAR versions and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check PEAR version with: pear version | grep 'PEAR Version'

Check Version:

pear version | grep 'PEAR Version'

Verify Fix Applied:

Verify version is 1.33.0 or higher: pear version | grep 'PEAR Version'

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP error logs related to preg_replace() with /e modifier
  • Suspicious POST requests to bug update email endpoints
  • Unexpected PHP code execution in web server logs

Network Indicators:

  • Unusual outbound connections from web server after bug update requests
  • Traffic patterns indicating web shell communication

SIEM Query:

source="web_logs" AND ("preg_replace" OR "/e modifier" OR "bug update") AND status=200

📊 Metadata

CVE ID: CVE-2026-25237
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-624
EPSS Score: 0.11% exploit probability (29.2th percentile)
Published: February 3, 2026
Last Updated: February 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON