CVE-2026-25235

High

Published: 03 February 2026

Published

03 February 2026

Modified

05 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0005 15.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25235 is a high-severity PRNG (CWE-337) vulnerability in Pear Pearweb. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

Predictable verification hashes enable remote guessing of tokens on a public-facing application (T1190), directly facilitating brute-force style token prediction (T1110) for unauthorized account verification and data access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version…

1.33.0.

Deeper analysisAI

CVE-2026-25235 affects PEAR, a framework and distribution system for reusable PHP components, specifically versions prior to 1.33.0. The vulnerability stems from predictable verification hashes (CWE-337) that enable attackers to guess verification tokens. This flaw allows unauthorized verification of election account requests within the PEAR ecosystem. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, and significant confidentiality impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with minimal prerequisites. By guessing the predictable hashes, they can verify election account requests without proper authorization, potentially gaining unauthorized access to sensitive account data or verification processes. The impact is confined to high confidentiality loss, with no integrity or availability disruption.

The GitHub Security Advisory (GHSA-477r-4cmw-3cgf) confirms the patch in PEAR version 1.33.0, recommending immediate upgrades to mitigate the issue. No additional workarounds are specified in available references.

Details

CWE(s): CWE-337

Affected Products

pear

pearweb

≤ 1.33.0

CVEs Like This One

CVE-2026-25238Same product: Pear Pearweb

CVE-2026-25240Same product: Pear Pearweb

CVE-2026-25236Same product: Pear Pearweb

CVE-2026-25234Same product: Pear Pearweb

CVE-2026-25237Same product: Pear Pearweb

CVE-2026-25239Same product: Pear Pearweb

CVE-2026-25241Same product: Pear Pearweb

CVE-2026-25233Same product: Pear Pearweb

CVE-2026-26018Shared CWE-337

References

https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf
Vendor Advisory · security-advisories@github.com