Cyber Resilience

CVE-2026-25237

Critical

Published: 03 February 2026

Published
03 February 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25237 is a critical-severity Executable Regular Expression Error (CWE-624) vulnerability in Pear Pearweb. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25237 is a critical vulnerability in PEAR, a framework and distribution system for reusable PHP components. Prior to version 1.33.0, the bug update email handling feature improperly uses the preg_replace() function with the /e modifier, which evaluates PHP code in the replacement string. If attacker-controlled content reaches this evaluated replacement, it enables arbitrary PHP code execution on the affected server. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-624.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation occurs by injecting malicious content into bug update emails processed by the PEAR system, such as through manipulated bug reports or email inputs that trigger the flawed preg_replace() call. Successful exploitation grants full PHP code execution on the server, potentially allowing complete compromise including data theft, modification, or server takeover.

The GitHub security advisory at https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23 details the patch in PEAR version 1.33.0, which addresses the insecure use of the /e modifier. Security practitioners should upgrade to version 1.33.0 or later and review any custom email handling in PEAR deployments for similar preg_replace() patterns.

EU & UK References

Vulnerability details

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This…

more

issue has been patched in version 1.33.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote unauthenticated arbitrary PHP code execution via crafted bug update emails in a public-facing PHP web framework (PEAR pearweb), directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25238Same product: Pear Pearweb
CVE-2026-25240Same product: Pear Pearweb
CVE-2026-25236Same product: Pear Pearweb
CVE-2026-25234Same product: Pear Pearweb
CVE-2026-25239Same product: Pear Pearweb
CVE-2026-25235Same product: Pear Pearweb
CVE-2026-25241Same product: Pear Pearweb
CVE-2026-25233Same product: Pear Pearweb

Affected Assets

pear
pearweb
≤ 1.33.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the preg_replace() /e modifier flaw in PEAR version 1.33.0 to eliminate arbitrary PHP code execution.

prevent

Requires validation of attacker-controlled inputs in bug update emails to prevent malicious content from reaching the vulnerable code evaluation.

detect

Enables vulnerability scanning to identify the PEAR preg_replace() flaw and trigger remediation before exploitation.

References