CVE-2026-25237 is a critical remote code execution vulnerability in pearweb, a part of the PEAR framework used for reusable PHP components. The flaw stems from the use of the preg_replace() function with the /e modifier, which evaluates the replacement string as PHP code. In pearweb versions prior to 1.33.0, this occurs during the processing of bug update emails, where attacker-controlled input can be injected into the evaluated replacement parameter. This allows an unauthenticated attacker to execute arbitrary PHP code on the server, potentially leading to full system compromise. The vulnerability is classified under CWE-624 (Executable Regular Expression Error), reflecting the misuse of regular expression evaluation leading to code execution. The CVSS 4.0 score of 9.2 reflects the vulnerability's network attack vector, low complexity, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been observed yet, the vulnerability is straightforward to exploit due to the direct evaluation of attacker input. The issue was patched in pearweb version 1.33.0 by removing the unsafe use of preg_replace() with the /e modifier. Organizations running pearweb versions below 1.33.0 should prioritize upgrading and review any custom PHP code that might use similar patterns. Given PEAR's usage in PHP development, this vulnerability poses a significant risk to web applications relying on pearweb components.

The impact of CVE-2026-25237 on European organizations can be severe. Successful exploitation allows remote attackers to execute arbitrary PHP code without authentication or user interaction, potentially leading to full server compromise. This can result in data breaches, unauthorized access to sensitive information, disruption of services, and deployment of further malware or ransomware. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on PHP-based web applications using pearweb are particularly vulnerable. The vulnerability undermines confidentiality, integrity, and availability of affected systems. Given the high CVSS score and ease of exploitation, attackers could leverage this flaw to pivot within networks or exfiltrate data. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the threat landscape could rapidly evolve. European entities with legacy PHP environments or delayed patching practices face increased risk of targeted attacks exploiting this vulnerability.

1. Immediately upgrade pearweb to version 1.33.0 or later, where the vulnerability is patched. 2. Audit all PHP codebases for usage of preg_replace() with the /e modifier or similar constructs that evaluate user input, and refactor to use safer alternatives such as preg_replace_callback(). 3. Implement strict input validation and sanitization for any data processed by regular expressions or evaluated code paths. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this vulnerability. 5. Monitor logs for unusual activity related to bug update email handling or unexpected PHP code execution. 6. Conduct penetration testing focusing on injection vectors in PHP applications using pearweb components. 7. Educate development teams on secure PHP coding practices to avoid deprecated and unsafe functions. 8. Maintain an up-to-date inventory of PHP components and dependencies to ensure timely patching. 9. Restrict permissions of PHP processes to minimize impact if exploitation occurs. 10. Consider network segmentation to isolate critical systems running vulnerable PHP applications.