HIGHCVE-2026-25235Published 2026-02-03Modified 2026-02-04CNA GitHub_M

CVE-2026-25235: PEAR Has a Predictable Verification Hash in Election Account Requests

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

pear / pearweb
< 1.33.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf

Metrics