Primary

Context

PEAR Remote Code Execution Vulnerability via preg_replace() with /e Modifier in Bug Update Email Handling

Vulnerability

Patched

A remote code execution vulnerability has been identified in PEAR versions prior to 1.33.0. The issue arises from the use of preg_replace() with the /e modifier in the mail_bug_updates() function, located in public_html/bugs/include/functions.inc. This combination can lead to PHP code execution if attacker-controlled content, such as bug comments, is processed and escapes the intended quoting context.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server.

Remediation

Users can upgrade to PEAR version 1.33.0 or later to address this vulnerability.

Added: Feb 3, 2026, 7:32 PM

Updated: Feb 3, 2026, 7:32 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PEAR Remote Code Execution Vulnerability via preg_replace() with /e Modifier in Bug Update Email Handling

Vulnerability

Impact

Remediation

Affected Products

PEAR

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating