CVE-2026-25233
Published: 03 February 2026
Summary
CVE-2026-25233 is a critical-severity Operator Precedence Logic Error (CWE-783) vulnerability in Pear Pearweb. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly countering the logic bug in PEAR's roadmap role check that permitted unauthorized create, update, or delete actions.
Requires identification, reporting, and correction of system flaws like this logic bug, achieved by patching PEAR to version 1.33.0 or later.
Employs least privilege to ensure non-lead maintainers lack permissions for roadmap modifications, providing defense in depth against flawed role checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Logic flaw in public-facing pearweb enables unauthenticated network exploitation (T1190) to perform unauthorized create/update/delete operations on stored roadmap data (T1565.001).
NVD Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.
Deeper analysisAI
CVE-2026-25233 is a logic bug in the roadmap role check within PEAR, a framework and distribution system for reusable PHP components. The vulnerability affects PEAR versions prior to 1.33.0, specifically in the pearweb component, and was published on 2026-02-03. It has been assigned CWE-783 (Operator Missing Right Operand) and a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to high integrity and availability impacts with no confidentiality loss.
The vulnerability enables attackers with network access to exploit it with low complexity, no privileges, and no user interaction required. Non-lead maintainers can create, update, or delete roadmaps, potentially allowing unauthorized manipulation of project roadmaps in the PEAR ecosystem, which could disrupt development planning or introduce misleading information.
The GitHub security advisory (GHSA-p92v-9j73-fxx3) confirms the issue has been patched in PEAR version 1.33.0. Security practitioners should upgrade to this version or later to mitigate the vulnerability.
Details
- CWE(s)