CVE-2026-25237
Published: 03 February 2026
Summary
CVE-2026-25237 is a critical-severity Executable Regular Expression Error (CWE-624) vulnerability in Pear Pearweb. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the preg_replace() /e modifier flaw in PEAR version 1.33.0 to eliminate arbitrary PHP code execution.
Requires validation of attacker-controlled inputs in bug update emails to prevent malicious content from reaching the vulnerable code evaluation.
Enables vulnerability scanning to identify the PEAR preg_replace() flaw and trigger remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated arbitrary PHP code execution via crafted bug update emails in a public-facing PHP web framework (PEAR pearweb), directly mapping to exploitation of public-facing applications.
NVD Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This…
more
issue has been patched in version 1.33.0.
Deeper analysisAI
CVE-2026-25237 is a critical vulnerability in PEAR, a framework and distribution system for reusable PHP components. Prior to version 1.33.0, the bug update email handling feature improperly uses the preg_replace() function with the /e modifier, which evaluates PHP code in the replacement string. If attacker-controlled content reaches this evaluated replacement, it enables arbitrary PHP code execution on the affected server. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-624.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation occurs by injecting malicious content into bug update emails processed by the PEAR system, such as through manipulated bug reports or email inputs that trigger the flawed preg_replace() call. Successful exploitation grants full PHP code execution on the server, potentially allowing complete compromise including data theft, modification, or server takeover.
The GitHub security advisory at https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23 details the patch in PEAR version 1.33.0, which addresses the insecure use of the /e modifier. Security practitioners should upgrade to version 1.33.0 or later and review any custom email handling in PEAR deployments for similar preg_replace() patterns.
Details
- CWE(s)