CVE-2026-25237 is a critical vulnerability identified in pearweb, a component of the PEAR PHP framework used for reusable PHP components. The vulnerability stems from the use of the preg_replace() function with the deprecated /e modifier in the handling of bug update emails. The /e modifier causes the replacement string to be evaluated as PHP code, which, if attacker-controlled input reaches this evaluated replacement, allows for arbitrary PHP code execution on the server. This flaw exists in pearweb versions prior to 1.33.0 and has been patched in that release. The vulnerability is classified under CWE-624, indicating an executable regular expression error. The CVSS 4.0 base score is 9.2 (critical), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), but requires partial attack complexity (AC:L) and partial attack vector (AT:P). The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H). Exploitation does not require authentication, making it highly dangerous. Although no known exploits are reported in the wild yet, the nature of the flaw—remote code execution via email processing—makes it a prime target for attackers. The vulnerability could allow attackers to execute arbitrary PHP code remotely, potentially leading to full system compromise, data theft, or service disruption. The issue is particularly critical in environments where pearweb is used to process external inputs such as bug reports or emails, common in software development and hosting infrastructures.

For European organizations, this vulnerability poses a significant risk, especially those relying on pearweb in their PHP-based infrastructure for bug tracking, email processing, or component distribution. Successful exploitation could lead to remote code execution, enabling attackers to take full control of affected systems, steal sensitive data, disrupt services, or use compromised servers as pivot points for further attacks. This is particularly concerning for sectors such as government, finance, telecommunications, and software development firms that often use PEAR components. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Additionally, compromised systems could be used to launch attacks on other internal or external targets, amplifying the impact. The vulnerability could also damage organizational reputation and lead to regulatory penalties under GDPR if personal data is exposed or systems are disrupted.

1. Immediate upgrade of pearweb to version 1.33.0 or later, where the vulnerability is patched. 2. Audit all PHP code handling email inputs or using preg_replace() with the /e modifier to identify and refactor unsafe code patterns. 3. Implement strict input validation and sanitization on all external inputs, especially those processed in email handling workflows. 4. Employ web application firewalls (WAFs) with rules to detect and block suspicious payloads targeting PHP code execution vulnerabilities. 5. Monitor logs for unusual activity related to email processing or PHP execution errors. 6. Restrict network access to systems running pearweb to trusted sources where possible. 7. Conduct regular security assessments and code reviews focusing on legacy PHP functions known to be risky. 8. Educate development teams about the risks of deprecated PHP features like the /e modifier and promote secure coding practices.