Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    46 vulnerabilities by pear

    CVE-2026-25241 (GCVE-0-2026-25241)

    Vulnerability from nvd – Published: 2026-02-03 18:31 – Updated: 2026-02-04 21:18
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in /get/<package>/<version> Endpoint
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25241",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:18:34.924840Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:18:41.250Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/\u003cpackage\u003e/\u003cversion\u003e endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:31:17.010Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p"
            }
          ],
          "source": {
            "advisory": "GHSA-63fv-vpq5-gv8p",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in /get/\u003cpackage\u003e/\u003cversion\u003e Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25241",
        "datePublished": "2026-02-03T18:31:17.010Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:18:41.250Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25240 (GCVE-0-2026-25240)

    Vulnerability from nvd – Published: 2026-02-03 18:31 – Updated: 2026-02-04 21:17
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in user::maintains() Role IN() Filter
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25240",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:17:09.145975Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:17:16.583Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:31:01.103Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f"
            }
          ],
          "source": {
            "advisory": "GHSA-xw9g-5gr2-c44f",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in user::maintains() Role IN() Filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25240",
        "datePublished": "2026-02-03T18:31:01.103Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:17:16.583Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25239 (GCVE-0-2026-25239)

    Vulnerability from nvd – Published: 2026-02-03 18:30 – Updated: 2026-02-04 21:16
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in apidoc_queue Insert via Unescaped Filename
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25239",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:16:38.408147Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:16:47.763Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:30:53.704Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg"
            }
          ],
          "source": {
            "advisory": "GHSA-f9mg-x463-3vxg",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in apidoc_queue Insert via Unescaped Filename"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25239",
        "datePublished": "2026-02-03T18:30:53.704Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:16:47.763Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25238 (GCVE-0-2026-25238)

    Vulnerability from nvd – Published: 2026-02-03 18:30 – Updated: 2026-02-04 21:16
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25238",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:16:12.312910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:16:19.309Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:30:14.305Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv"
            }
          ],
          "source": {
            "advisory": "GHSA-cv3c-27h5-7gmv",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25238",
        "datePublished": "2026-02-03T18:30:14.305Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:16:19.309Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25237 (GCVE-0-2026-25237)

    Vulnerability from nvd – Published: 2026-02-03 18:29 – Updated: 2026-02-04 20:21
    VLAI
    Title
    PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-624 - Executable Regular Expression Error
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25237",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T20:21:43.501877Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T20:21:50.253Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-624",
                  "description": "CWE-624: Executable Regular Expression Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:54.001Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23"
            }
          ],
          "source": {
            "advisory": "GHSA-vhw6-hqh9-8r23",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25237",
        "datePublished": "2026-02-03T18:29:54.001Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T20:21:50.253Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25236 (GCVE-0-2026-25236)

    Vulnerability from nvd – Published: 2026-02-03 18:29 – Updated: 2026-02-04 20:34
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in Damblan_Karma IN() Query via Literal Substitution
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25236",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T20:34:24.204541Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T20:34:31.656Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:46.866Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f"
            }
          ],
          "source": {
            "advisory": "GHSA-95mc-p966-c29f",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in Damblan_Karma IN() Query via Literal Substitution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25236",
        "datePublished": "2026-02-03T18:29:46.866Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T20:34:31.656Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25235 (GCVE-0-2026-25235)

    Vulnerability from nvd – Published: 2026-02-03 18:29 – Updated: 2026-02-04 20:34
    VLAI
    Title
    PEAR Has a Predictable Verification Hash in Election Account Requests
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25235",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T20:34:51.725693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T20:34:59.115Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-337",
                  "description": "CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:39.698Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf"
            }
          ],
          "source": {
            "advisory": "GHSA-477r-4cmw-3cgf",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR Has a Predictable Verification Hash in Election Account Requests"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25235",
        "datePublished": "2026-02-03T18:29:39.698Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T20:34:59.115Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25234 (GCVE-0-2026-25234)

    Vulnerability from nvd – Published: 2026-02-03 18:29 – Updated: 2026-02-04 21:15
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in Category Deletion
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25234",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:15:18.473435Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:15:38.932Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:19.724Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722"
            }
          ],
          "source": {
            "advisory": "GHSA-q28j-3p7r-6722",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in Category Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25234",
        "datePublished": "2026-02-03T18:29:19.724Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T21:15:38.932Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25233 (GCVE-0-2026-25233)

    Vulnerability from nvd – Published: 2026-02-03 18:29 – Updated: 2026-02-04 21:14
    VLAI
    Title
    PEAR Has a Roadmap Authorization Bypass via Operator Precedence Bug
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-783 - Operator Precedence Logic Error
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:14:35.359296Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:14:41.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-783",
                  "description": "CWE-783: Operator Precedence Logic Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:13.336Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3"
            }
          ],
          "source": {
            "advisory": "GHSA-p92v-9j73-fxx3",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR Has a Roadmap Authorization Bypass via Operator Precedence Bug"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25233",
        "datePublished": "2026-02-03T18:29:13.336Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T21:14:41.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-24953 (GCVE-0-2022-24953)

    Vulnerability from nvd – Published: 2022-02-17 04:22 – Updated: 2024-08-03 04:29
    VLAI
    Summary
    The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:29:01.616Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-17T04:22:05.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-24953",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04",
                  "refsource": "MISC",
                  "url": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04"
                },
                {
                  "name": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-24953",
        "datePublished": "2022-02-17T04:22:05.000Z",
        "dateReserved": "2022-02-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:29:01.616Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-5677 (GCVE-0-2017-5677)

    Vulnerability from nvd – Published: 2017-02-06 18:00 – Updated: 2024-08-05 15:11
    VLAI
    Summary
    PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2017-02-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:11:47.784Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://karmainsecurity.com/KIS-2017-01"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2017/Feb/12"
              },
              {
                "name": "96044",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/96044"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://pear.php.net/bugs/bug.php?id=21165"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2017-02-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-02-07T10:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://karmainsecurity.com/KIS-2017-01"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2017/Feb/12"
            },
            {
              "name": "96044",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/96044"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://pear.php.net/bugs/bug.php?id=21165"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2017-5677",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://karmainsecurity.com/KIS-2017-01",
                  "refsource": "MISC",
                  "url": "http://karmainsecurity.com/KIS-2017-01"
                },
                {
                  "name": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/",
                  "refsource": "MISC",
                  "url": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/"
                },
                {
                  "name": "http://seclists.org/fulldisclosure/2017/Feb/12",
                  "refsource": "MISC",
                  "url": "http://seclists.org/fulldisclosure/2017/Feb/12"
                },
                {
                  "name": "96044",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/96044"
                },
                {
                  "name": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646",
                  "refsource": "MISC",
                  "url": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646"
                },
                {
                  "name": "https://pear.php.net/bugs/bug.php?id=21165",
                  "refsource": "MISC",
                  "url": "https://pear.php.net/bugs/bug.php?id=21165"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2017-5677",
        "datePublished": "2017-02-06T18:00:00.000Z",
        "dateReserved": "2017-02-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T15:11:47.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4111 (GCVE-0-2009-4111)

    Vulnerability from nvd – Published: 2009-11-28 18:00 – Updated: 2024-08-07 06:54
    VLAI
    Summary
    Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2009-11-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:54:09.376Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "SUSE-SR:2010:020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
              },
              {
                "name": "37458",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37458"
              },
              {
                "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/bugs/bug.php?id=16200"
              },
              {
                "name": "DSA-1938",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1938"
              },
              {
                "name": "[oss-security] 20091128 Re: CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/28/2"
              },
              {
                "name": "37395",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37395"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-11-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2009-12-04T10:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "SUSE-SR:2010:020",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
            },
            {
              "name": "37458",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37458"
            },
            {
              "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://pear.php.net/bugs/bug.php?id=16200"
            },
            {
              "name": "DSA-1938",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1938"
            },
            {
              "name": "[oss-security] 20091128 Re: CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/28/2"
            },
            {
              "name": "37395",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37395"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-4111",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "SUSE-SR:2010:020",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
                },
                {
                  "name": "37458",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37458"
                },
                {
                  "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
                },
                {
                  "name": "http://pear.php.net/bugs/bug.php?id=16200",
                  "refsource": "MISC",
                  "url": "http://pear.php.net/bugs/bug.php?id=16200"
                },
                {
                  "name": "DSA-1938",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1938"
                },
                {
                  "name": "[oss-security] 20091128 Re: CVE request: Argument injections in multiple PEAR packages",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2009/11/28/2"
                },
                {
                  "name": "37395",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/37395"
                },
                {
                  "name": "https://bugs.gentoo.org/show_bug.cgi?id=294256",
                  "refsource": "MISC",
                  "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-4111",
        "datePublished": "2009-11-28T18:00:00.000Z",
        "dateReserved": "2009-11-28T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:54:09.376Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4025 (GCVE-0-2009-4025)

    Vulnerability from nvd – Published: 2009-11-28 17:00 – Updated: 2024-08-07 06:45
    VLAI
    Summary
    Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party information.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://pear.php.net/advisory20091114-01.txt x_refsource_CONFIRM
    https://www.redhat.com/archives/fedora-package-an… vendor-advisoryx_refsource_FEDORA
    http://security.gentoo.org/glsa/glsa-200911-06.xml vendor-advisoryx_refsource_GENTOO
    https://www.redhat.com/archives/fedora-package-an… vendor-advisoryx_refsource_FEDORA
    http://pear.php.net/package/Net_Traceroute/downlo… x_refsource_CONFIRM
    http://www.openwall.com/lists/oss-security/2009/11/23/8 mailing-listx_refsource_MLIST
    http://secunia.com/advisories/37497 third-party-advisoryx_refsource_SECUNIA
    http://www.securityfocus.com/bid/37094 vdb-entryx_refsource_BID
    http://blog.pear.php.net/2009/11/14/net_tracerout… x_refsource_CONFIRM
    http://www.vupen.com/english/advisories/2009/3321 vdb-entryx_refsource_VUPEN
    http://secunia.com/advisories/37503 third-party-advisoryx_refsource_SECUNIA
    https://www.redhat.com/archives/fedora-package-an… vendor-advisoryx_refsource_FEDORA
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://osvdb.org/60515 vdb-entryx_refsource_OSVDB
    Date Public
    2009-11-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:45:51.053Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/advisory20091114-01.txt"
              },
              {
                "name": "FEDORA-2009-11617",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00998.html"
              },
              {
                "name": "GLSA-200911-06",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "http://security.gentoo.org/glsa/glsa-200911-06.xml"
              },
              {
                "name": "FEDORA-2009-12083",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01007.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/package/Net_Traceroute/download/0.21.2"
              },
              {
                "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
              },
              {
                "name": "37497",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37497"
              },
              {
                "name": "37094",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37094"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
              },
              {
                "name": "ADV-2009-3321",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/3321"
              },
              {
                "name": "37503",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37503"
              },
              {
                "name": "FEDORA-2009-11551",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01110.html"
              },
              {
                "name": "nettraceroute-traceroute-command-execution(54391)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54391"
              },
              {
                "name": "60515",
                "tags": [
                  "vdb-entry",
                  "x_refsource_OSVDB",
                  "x_transferred"
                ],
                "url": "http://osvdb.org/60515"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-11-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: some of these details are obtained from third party information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/advisory20091114-01.txt"
            },
            {
              "name": "FEDORA-2009-11617",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00998.html"
            },
            {
              "name": "GLSA-200911-06",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "http://security.gentoo.org/glsa/glsa-200911-06.xml"
            },
            {
              "name": "FEDORA-2009-12083",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01007.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/package/Net_Traceroute/download/0.21.2"
            },
            {
              "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
            },
            {
              "name": "37497",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37497"
            },
            {
              "name": "37094",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37094"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
            },
            {
              "name": "ADV-2009-3321",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/3321"
            },
            {
              "name": "37503",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37503"
            },
            {
              "name": "FEDORA-2009-11551",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01110.html"
            },
            {
              "name": "nettraceroute-traceroute-command-execution(54391)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54391"
            },
            {
              "name": "60515",
              "tags": [
                "vdb-entry",
                "x_refsource_OSVDB"
              ],
              "url": "http://osvdb.org/60515"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2009-4025",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: some of these details are obtained from third party information."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://pear.php.net/advisory20091114-01.txt",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/advisory20091114-01.txt"
                },
                {
                  "name": "FEDORA-2009-11617",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00998.html"
                },
                {
                  "name": "GLSA-200911-06",
                  "refsource": "GENTOO",
                  "url": "http://security.gentoo.org/glsa/glsa-200911-06.xml"
                },
                {
                  "name": "FEDORA-2009-12083",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01007.html"
                },
                {
                  "name": "http://pear.php.net/package/Net_Traceroute/download/0.21.2",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/package/Net_Traceroute/download/0.21.2"
                },
                {
                  "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
                },
                {
                  "name": "37497",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37497"
                },
                {
                  "name": "37094",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/37094"
                },
                {
                  "name": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/",
                  "refsource": "CONFIRM",
                  "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
                },
                {
                  "name": "ADV-2009-3321",
                  "refsource": "VUPEN",
                  "url": "http://www.vupen.com/english/advisories/2009/3321"
                },
                {
                  "name": "37503",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37503"
                },
                {
                  "name": "FEDORA-2009-11551",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01110.html"
                },
                {
                  "name": "nettraceroute-traceroute-command-execution(54391)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54391"
                },
                {
                  "name": "60515",
                  "refsource": "OSVDB",
                  "url": "http://osvdb.org/60515"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2009-4025",
        "datePublished": "2009-11-28T17:00:00.000Z",
        "dateReserved": "2009-11-20T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:45:51.053Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4024 (GCVE-0-2009-4024)

    Vulnerability from nvd – Published: 2009-11-28 17:00 – Updated: 2024-08-07 06:45
    VLAI
    Summary
    Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: this has also been reported as a shell metacharacter problem.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2009-11-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:45:50.941Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "FEDORA-2009-11613",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01152.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/package/Net_Ping/download/2.4.5"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/advisory20091114-01.txt"
              },
              {
                "name": "FEDORA-2009-12156",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01130.html"
              },
              {
                "name": "netping-ping-command-execution(54390)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54390"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
              },
              {
                "name": "37093",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37093"
              },
              {
                "name": "ADV-2009-3320",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/3320"
              },
              {
                "name": "37502",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37502"
              },
              {
                "name": "FEDORA-2009-11523",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01044.html"
              },
              {
                "name": "DSA-1949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1949"
              },
              {
                "name": "37451",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37451"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-11-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: this has also been reported as a shell metacharacter problem."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "FEDORA-2009-11613",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01152.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/package/Net_Ping/download/2.4.5"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/advisory20091114-01.txt"
            },
            {
              "name": "FEDORA-2009-12156",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01130.html"
            },
            {
              "name": "netping-ping-command-execution(54390)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54390"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
            },
            {
              "name": "37093",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37093"
            },
            {
              "name": "ADV-2009-3320",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/3320"
            },
            {
              "name": "37502",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37502"
            },
            {
              "name": "FEDORA-2009-11523",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01044.html"
            },
            {
              "name": "DSA-1949",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1949"
            },
            {
              "name": "37451",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37451"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2009-4024",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: this has also been reported as a shell metacharacter problem."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "FEDORA-2009-11613",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01152.html"
                },
                {
                  "name": "http://pear.php.net/package/Net_Ping/download/2.4.5",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/package/Net_Ping/download/2.4.5"
                },
                {
                  "name": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669",
                  "refsource": "CONFIRM",
                  "url": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669"
                },
                {
                  "name": "http://pear.php.net/advisory20091114-01.txt",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/advisory20091114-01.txt"
                },
                {
                  "name": "FEDORA-2009-12156",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01130.html"
                },
                {
                  "name": "netping-ping-command-execution(54390)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54390"
                },
                {
                  "name": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/",
                  "refsource": "CONFIRM",
                  "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
                },
                {
                  "name": "37093",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/37093"
                },
                {
                  "name": "ADV-2009-3320",
                  "refsource": "VUPEN",
                  "url": "http://www.vupen.com/english/advisories/2009/3320"
                },
                {
                  "name": "37502",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37502"
                },
                {
                  "name": "FEDORA-2009-11523",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01044.html"
                },
                {
                  "name": "DSA-1949",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1949"
                },
                {
                  "name": "37451",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37451"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2009-4024",
        "datePublished": "2009-11-28T17:00:00.000Z",
        "dateReserved": "2009-11-20T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:45:50.941Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4023 (GCVE-0-2009-4023)

    Vulnerability from nvd – Published: 2009-11-28 17:00 – Updated: 2024-08-07 06:45
    VLAI
    Summary
    Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2009-05-07 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:45:51.049Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "37081",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37081"
              },
              {
                "name": "SUSE-SR:2010:020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
              },
              {
                "name": "37458",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37458"
              },
              {
                "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
              },
              {
                "name": "ADV-2009-3300",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/3300"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/bugs/bug.php?id=16200\u0026edit=12\u0026patch=quick-fix\u0026revision=1241757412"
              },
              {
                "name": "pear-from-security-bypass(54362)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54362"
              },
              {
                "name": "DSA-1938",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1938"
              },
              {
                "name": "37410",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37410"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717\u0026r2=280134"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/bugs/bug.php?id=16200"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "37081",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37081"
            },
            {
              "name": "SUSE-SR:2010:020",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
            },
            {
              "name": "37458",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37458"
            },
            {
              "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
            },
            {
              "name": "ADV-2009-3300",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/3300"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/bugs/bug.php?id=16200\u0026edit=12\u0026patch=quick-fix\u0026revision=1241757412"
            },
            {
              "name": "pear-from-security-bypass(54362)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54362"
            },
            {
              "name": "DSA-1938",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1938"
            },
            {
              "name": "37410",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37410"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717\u0026r2=280134"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/bugs/bug.php?id=16200"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2009-4023",
        "datePublished": "2009-11-28T17:00:00.000Z",
        "dateReserved": "2009-11-20T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:45:51.049Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-25241 (GCVE-0-2026-25241)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:31 – Updated: 2026-02-04 21:18
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in /get/<package>/<version> Endpoint
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25241",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:18:34.924840Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:18:41.250Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/\u003cpackage\u003e/\u003cversion\u003e endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:31:17.010Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p"
            }
          ],
          "source": {
            "advisory": "GHSA-63fv-vpq5-gv8p",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in /get/\u003cpackage\u003e/\u003cversion\u003e Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25241",
        "datePublished": "2026-02-03T18:31:17.010Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:18:41.250Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25240 (GCVE-0-2026-25240)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:31 – Updated: 2026-02-04 21:17
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in user::maintains() Role IN() Filter
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25240",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:17:09.145975Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:17:16.583Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:31:01.103Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f"
            }
          ],
          "source": {
            "advisory": "GHSA-xw9g-5gr2-c44f",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in user::maintains() Role IN() Filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25240",
        "datePublished": "2026-02-03T18:31:01.103Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:17:16.583Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25239 (GCVE-0-2026-25239)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:30 – Updated: 2026-02-04 21:16
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in apidoc_queue Insert via Unescaped Filename
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25239",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:16:38.408147Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:16:47.763Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:30:53.704Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg"
            }
          ],
          "source": {
            "advisory": "GHSA-f9mg-x463-3vxg",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in apidoc_queue Insert via Unescaped Filename"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25239",
        "datePublished": "2026-02-03T18:30:53.704Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:16:47.763Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25238 (GCVE-0-2026-25238)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:30 – Updated: 2026-02-04 21:16
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25238",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:16:12.312910Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:16:19.309Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:30:14.305Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv"
            }
          ],
          "source": {
            "advisory": "GHSA-cv3c-27h5-7gmv",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25238",
        "datePublished": "2026-02-03T18:30:14.305Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T21:16:19.309Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25237 (GCVE-0-2026-25237)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:29 – Updated: 2026-02-04 20:21
    VLAI
    Title
    PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-624 - Executable Regular Expression Error
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25237",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T20:21:43.501877Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T20:21:50.253Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-624",
                  "description": "CWE-624: Executable Regular Expression Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:54.001Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23"
            }
          ],
          "source": {
            "advisory": "GHSA-vhw6-hqh9-8r23",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25237",
        "datePublished": "2026-02-03T18:29:54.001Z",
        "dateReserved": "2026-01-30T14:44:47.329Z",
        "dateUpdated": "2026-02-04T20:21:50.253Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25236 (GCVE-0-2026-25236)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:29 – Updated: 2026-02-04 20:34
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in Damblan_Karma IN() Query via Literal Substitution
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25236",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T20:34:24.204541Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T20:34:31.656Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:46.866Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f"
            }
          ],
          "source": {
            "advisory": "GHSA-95mc-p966-c29f",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in Damblan_Karma IN() Query via Literal Substitution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25236",
        "datePublished": "2026-02-03T18:29:46.866Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T20:34:31.656Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25235 (GCVE-0-2026-25235)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:29 – Updated: 2026-02-04 20:34
    VLAI
    Title
    PEAR Has a Predictable Verification Hash in Election Account Requests
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25235",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T20:34:51.725693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T20:34:59.115Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-337",
                  "description": "CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:39.698Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf"
            }
          ],
          "source": {
            "advisory": "GHSA-477r-4cmw-3cgf",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR Has a Predictable Verification Hash in Election Account Requests"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25235",
        "datePublished": "2026-02-03T18:29:39.698Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T20:34:59.115Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25234 (GCVE-0-2026-25234)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:29 – Updated: 2026-02-04 21:15
    VLAI
    Title
    PEAR is Vulnerable to SQL Injection in Category Deletion
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25234",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:15:18.473435Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:15:38.932Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:19.724Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722"
            }
          ],
          "source": {
            "advisory": "GHSA-q28j-3p7r-6722",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR is Vulnerable to SQL Injection in Category Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25234",
        "datePublished": "2026-02-03T18:29:19.724Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T21:15:38.932Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25233 (GCVE-0-2026-25233)

    Vulnerability from cvelistv5 – Published: 2026-02-03 18:29 – Updated: 2026-02-04 21:14
    VLAI
    Title
    PEAR Has a Roadmap Authorization Bypass via Operator Precedence Bug
    Summary
    PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-783 - Operator Precedence Logic Error
    Assigner
    References
    Impacted products
    Vendor Product Version
    pear pearweb Affected: < 1.33.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-04T21:14:35.359296Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-04T21:14:41.218Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "pearweb",
              "vendor": "pear",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.33.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-783",
                  "description": "CWE-783: Operator Precedence Logic Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-03T18:29:13.336Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3"
            }
          ],
          "source": {
            "advisory": "GHSA-p92v-9j73-fxx3",
            "discovery": "UNKNOWN"
          },
          "title": "PEAR Has a Roadmap Authorization Bypass via Operator Precedence Bug"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25233",
        "datePublished": "2026-02-03T18:29:13.336Z",
        "dateReserved": "2026-01-30T14:44:47.328Z",
        "dateUpdated": "2026-02-04T21:14:41.218Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-24953 (GCVE-0-2022-24953)

    Vulnerability from cvelistv5 – Published: 2022-02-17 04:22 – Updated: 2024-08-03 04:29
    VLAI
    Summary
    The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:29:01.616Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-17T04:22:05.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-24953",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04",
                  "refsource": "MISC",
                  "url": "https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04"
                },
                {
                  "name": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/pear/Crypt_GPG/commit/29c0fbe96d0d4063ecd5c9a4644cb65a7fb7cc4e"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-24953",
        "datePublished": "2022-02-17T04:22:05.000Z",
        "dateReserved": "2022-02-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:29:01.616Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-5677 (GCVE-0-2017-5677)

    Vulnerability from cvelistv5 – Published: 2017-02-06 18:00 – Updated: 2024-08-05 15:11
    VLAI
    Summary
    PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2017-02-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T15:11:47.784Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://karmainsecurity.com/KIS-2017-01"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2017/Feb/12"
              },
              {
                "name": "96044",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/96044"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://pear.php.net/bugs/bug.php?id=21165"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2017-02-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-02-07T10:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://karmainsecurity.com/KIS-2017-01"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2017/Feb/12"
            },
            {
              "name": "96044",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/96044"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://pear.php.net/bugs/bug.php?id=21165"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2017-5677",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://karmainsecurity.com/KIS-2017-01",
                  "refsource": "MISC",
                  "url": "http://karmainsecurity.com/KIS-2017-01"
                },
                {
                  "name": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/",
                  "refsource": "MISC",
                  "url": "http://blog.pear.php.net/2017/02/02/security-html_ajax-058/"
                },
                {
                  "name": "http://seclists.org/fulldisclosure/2017/Feb/12",
                  "refsource": "MISC",
                  "url": "http://seclists.org/fulldisclosure/2017/Feb/12"
                },
                {
                  "name": "96044",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/96044"
                },
                {
                  "name": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646",
                  "refsource": "MISC",
                  "url": "https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5acb5adcd195f9a06b732794cb0de7620def646"
                },
                {
                  "name": "https://pear.php.net/bugs/bug.php?id=21165",
                  "refsource": "MISC",
                  "url": "https://pear.php.net/bugs/bug.php?id=21165"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2017-5677",
        "datePublished": "2017-02-06T18:00:00.000Z",
        "dateReserved": "2017-02-01T00:00:00.000Z",
        "dateUpdated": "2024-08-05T15:11:47.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4111 (GCVE-0-2009-4111)

    Vulnerability from cvelistv5 – Published: 2009-11-28 18:00 – Updated: 2024-08-07 06:54
    VLAI
    Summary
    Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2009-11-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:54:09.376Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "SUSE-SR:2010:020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
              },
              {
                "name": "37458",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37458"
              },
              {
                "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/bugs/bug.php?id=16200"
              },
              {
                "name": "DSA-1938",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1938"
              },
              {
                "name": "[oss-security] 20091128 Re: CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/28/2"
              },
              {
                "name": "37395",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37395"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-11-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2009-12-04T10:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "SUSE-SR:2010:020",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
            },
            {
              "name": "37458",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37458"
            },
            {
              "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://pear.php.net/bugs/bug.php?id=16200"
            },
            {
              "name": "DSA-1938",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1938"
            },
            {
              "name": "[oss-security] 20091128 Re: CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/28/2"
            },
            {
              "name": "37395",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37395"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2009-4111",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "SUSE-SR:2010:020",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
                },
                {
                  "name": "37458",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37458"
                },
                {
                  "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
                },
                {
                  "name": "http://pear.php.net/bugs/bug.php?id=16200",
                  "refsource": "MISC",
                  "url": "http://pear.php.net/bugs/bug.php?id=16200"
                },
                {
                  "name": "DSA-1938",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1938"
                },
                {
                  "name": "[oss-security] 20091128 Re: CVE request: Argument injections in multiple PEAR packages",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2009/11/28/2"
                },
                {
                  "name": "37395",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/37395"
                },
                {
                  "name": "https://bugs.gentoo.org/show_bug.cgi?id=294256",
                  "refsource": "MISC",
                  "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2009-4111",
        "datePublished": "2009-11-28T18:00:00.000Z",
        "dateReserved": "2009-11-28T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:54:09.376Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4025 (GCVE-0-2009-4025)

    Vulnerability from cvelistv5 – Published: 2009-11-28 17:00 – Updated: 2024-08-07 06:45
    VLAI
    Summary
    Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party information.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    URL Tags
    http://pear.php.net/advisory20091114-01.txt x_refsource_CONFIRM
    https://www.redhat.com/archives/fedora-package-an… vendor-advisoryx_refsource_FEDORA
    http://security.gentoo.org/glsa/glsa-200911-06.xml vendor-advisoryx_refsource_GENTOO
    https://www.redhat.com/archives/fedora-package-an… vendor-advisoryx_refsource_FEDORA
    http://pear.php.net/package/Net_Traceroute/downlo… x_refsource_CONFIRM
    http://www.openwall.com/lists/oss-security/2009/11/23/8 mailing-listx_refsource_MLIST
    http://secunia.com/advisories/37497 third-party-advisoryx_refsource_SECUNIA
    http://www.securityfocus.com/bid/37094 vdb-entryx_refsource_BID
    http://blog.pear.php.net/2009/11/14/net_tracerout… x_refsource_CONFIRM
    http://www.vupen.com/english/advisories/2009/3321 vdb-entryx_refsource_VUPEN
    http://secunia.com/advisories/37503 third-party-advisoryx_refsource_SECUNIA
    https://www.redhat.com/archives/fedora-package-an… vendor-advisoryx_refsource_FEDORA
    https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
    http://osvdb.org/60515 vdb-entryx_refsource_OSVDB
    Date Public
    2009-11-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:45:51.053Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/advisory20091114-01.txt"
              },
              {
                "name": "FEDORA-2009-11617",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00998.html"
              },
              {
                "name": "GLSA-200911-06",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "http://security.gentoo.org/glsa/glsa-200911-06.xml"
              },
              {
                "name": "FEDORA-2009-12083",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01007.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/package/Net_Traceroute/download/0.21.2"
              },
              {
                "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
              },
              {
                "name": "37497",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37497"
              },
              {
                "name": "37094",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37094"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
              },
              {
                "name": "ADV-2009-3321",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/3321"
              },
              {
                "name": "37503",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37503"
              },
              {
                "name": "FEDORA-2009-11551",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01110.html"
              },
              {
                "name": "nettraceroute-traceroute-command-execution(54391)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54391"
              },
              {
                "name": "60515",
                "tags": [
                  "vdb-entry",
                  "x_refsource_OSVDB",
                  "x_transferred"
                ],
                "url": "http://osvdb.org/60515"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-11-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: some of these details are obtained from third party information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/advisory20091114-01.txt"
            },
            {
              "name": "FEDORA-2009-11617",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00998.html"
            },
            {
              "name": "GLSA-200911-06",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "http://security.gentoo.org/glsa/glsa-200911-06.xml"
            },
            {
              "name": "FEDORA-2009-12083",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01007.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/package/Net_Traceroute/download/0.21.2"
            },
            {
              "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
            },
            {
              "name": "37497",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37497"
            },
            {
              "name": "37094",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37094"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
            },
            {
              "name": "ADV-2009-3321",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/3321"
            },
            {
              "name": "37503",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37503"
            },
            {
              "name": "FEDORA-2009-11551",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01110.html"
            },
            {
              "name": "nettraceroute-traceroute-command-execution(54391)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54391"
            },
            {
              "name": "60515",
              "tags": [
                "vdb-entry",
                "x_refsource_OSVDB"
              ],
              "url": "http://osvdb.org/60515"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2009-4025",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: some of these details are obtained from third party information."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://pear.php.net/advisory20091114-01.txt",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/advisory20091114-01.txt"
                },
                {
                  "name": "FEDORA-2009-11617",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00998.html"
                },
                {
                  "name": "GLSA-200911-06",
                  "refsource": "GENTOO",
                  "url": "http://security.gentoo.org/glsa/glsa-200911-06.xml"
                },
                {
                  "name": "FEDORA-2009-12083",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01007.html"
                },
                {
                  "name": "http://pear.php.net/package/Net_Traceroute/download/0.21.2",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/package/Net_Traceroute/download/0.21.2"
                },
                {
                  "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
                },
                {
                  "name": "37497",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37497"
                },
                {
                  "name": "37094",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/37094"
                },
                {
                  "name": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/",
                  "refsource": "CONFIRM",
                  "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
                },
                {
                  "name": "ADV-2009-3321",
                  "refsource": "VUPEN",
                  "url": "http://www.vupen.com/english/advisories/2009/3321"
                },
                {
                  "name": "37503",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37503"
                },
                {
                  "name": "FEDORA-2009-11551",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01110.html"
                },
                {
                  "name": "nettraceroute-traceroute-command-execution(54391)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54391"
                },
                {
                  "name": "60515",
                  "refsource": "OSVDB",
                  "url": "http://osvdb.org/60515"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2009-4025",
        "datePublished": "2009-11-28T17:00:00.000Z",
        "dateReserved": "2009-11-20T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:45:51.053Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4023 (GCVE-0-2009-4023)

    Vulnerability from cvelistv5 – Published: 2009-11-28 17:00 – Updated: 2024-08-07 06:45
    VLAI
    Summary
    Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2009-05-07 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:45:51.049Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "37081",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37081"
              },
              {
                "name": "SUSE-SR:2010:020",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
              },
              {
                "name": "37458",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37458"
              },
              {
                "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
              },
              {
                "name": "ADV-2009-3300",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/3300"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/bugs/bug.php?id=16200\u0026edit=12\u0026patch=quick-fix\u0026revision=1241757412"
              },
              {
                "name": "pear-from-security-bypass(54362)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54362"
              },
              {
                "name": "DSA-1938",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1938"
              },
              {
                "name": "37410",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37410"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717\u0026r2=280134"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/bugs/bug.php?id=16200"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-05-07T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "37081",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37081"
            },
            {
              "name": "SUSE-SR:2010:020",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html"
            },
            {
              "name": "37458",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37458"
            },
            {
              "name": "[oss-security] 20091123 CVE request: Argument injections in multiple PEAR packages",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2009/11/23/8"
            },
            {
              "name": "ADV-2009-3300",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/3300"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.gentoo.org/show_bug.cgi?id=294256"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/bugs/bug.php?id=16200\u0026edit=12\u0026patch=quick-fix\u0026revision=1241757412"
            },
            {
              "name": "pear-from-security-bypass(54362)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54362"
            },
            {
              "name": "DSA-1938",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1938"
            },
            {
              "name": "37410",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37410"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://svn.php.net/viewvc/pear/packages/Mail/trunk/Mail/sendmail.php?r1=243717\u0026r2=280134"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/bugs/bug.php?id=16200"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2009-4023",
        "datePublished": "2009-11-28T17:00:00.000Z",
        "dateReserved": "2009-11-20T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:45:51.049Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2009-4024 (GCVE-0-2009-4024)

    Vulnerability from cvelistv5 – Published: 2009-11-28 17:00 – Updated: 2024-08-07 06:45
    VLAI
    Summary
    Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: this has also been reported as a shell metacharacter problem.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Date Public
    2009-11-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-07T06:45:50.941Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "FEDORA-2009-11613",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01152.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/package/Net_Ping/download/2.4.5"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://pear.php.net/advisory20091114-01.txt"
              },
              {
                "name": "FEDORA-2009-12156",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01130.html"
              },
              {
                "name": "netping-ping-command-execution(54390)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54390"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
              },
              {
                "name": "37093",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/37093"
              },
              {
                "name": "ADV-2009-3320",
                "tags": [
                  "vdb-entry",
                  "x_refsource_VUPEN",
                  "x_transferred"
                ],
                "url": "http://www.vupen.com/english/advisories/2009/3320"
              },
              {
                "name": "37502",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37502"
              },
              {
                "name": "FEDORA-2009-11523",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01044.html"
              },
              {
                "name": "DSA-1949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2009/dsa-1949"
              },
              {
                "name": "37451",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/37451"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2009-11-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: this has also been reported as a shell metacharacter problem."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-08-16T14:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "FEDORA-2009-11613",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01152.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/package/Net_Ping/download/2.4.5"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://pear.php.net/advisory20091114-01.txt"
            },
            {
              "name": "FEDORA-2009-12156",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01130.html"
            },
            {
              "name": "netping-ping-command-execution(54390)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54390"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
            },
            {
              "name": "37093",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/37093"
            },
            {
              "name": "ADV-2009-3320",
              "tags": [
                "vdb-entry",
                "x_refsource_VUPEN"
              ],
              "url": "http://www.vupen.com/english/advisories/2009/3320"
            },
            {
              "name": "37502",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37502"
            },
            {
              "name": "FEDORA-2009-11523",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01044.html"
            },
            {
              "name": "DSA-1949",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2009/dsa-1949"
            },
            {
              "name": "37451",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/37451"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2009-4024",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter.  NOTE: this has also been reported as a shell metacharacter problem."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "FEDORA-2009-11613",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01152.html"
                },
                {
                  "name": "http://pear.php.net/package/Net_Ping/download/2.4.5",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/package/Net_Ping/download/2.4.5"
                },
                {
                  "name": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669",
                  "refsource": "CONFIRM",
                  "url": "http://svn.php.net/viewvc/pear/packages/Net_Ping/trunk/Ping.php?r1=274728\u0026r2=290669\u0026pathrev=290669"
                },
                {
                  "name": "http://pear.php.net/advisory20091114-01.txt",
                  "refsource": "CONFIRM",
                  "url": "http://pear.php.net/advisory20091114-01.txt"
                },
                {
                  "name": "FEDORA-2009-12156",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01130.html"
                },
                {
                  "name": "netping-ping-command-execution(54390)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54390"
                },
                {
                  "name": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/",
                  "refsource": "CONFIRM",
                  "url": "http://blog.pear.php.net/2009/11/14/net_traceroute-and-net_ping-security-advisory/"
                },
                {
                  "name": "37093",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/37093"
                },
                {
                  "name": "ADV-2009-3320",
                  "refsource": "VUPEN",
                  "url": "http://www.vupen.com/english/advisories/2009/3320"
                },
                {
                  "name": "37502",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37502"
                },
                {
                  "name": "FEDORA-2009-11523",
                  "refsource": "FEDORA",
                  "url": "https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01044.html"
                },
                {
                  "name": "DSA-1949",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2009/dsa-1949"
                },
                {
                  "name": "37451",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/37451"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2009-4024",
        "datePublished": "2009-11-28T17:00:00.000Z",
        "dateReserved": "2009-11-20T00:00:00.000Z",
        "dateUpdated": "2024-08-07T06:45:50.941Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }