pear 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk sql injection and パス処理の欠陥 などに関し、一部は ファイル上書き を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-25241 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0. | [email protected] | 9.3 | 0.04% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25240 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0. | [email protected] | 6.9 | 0.06% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25239 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0. | [email protected] | 8.2 | 0.06% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25238 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0. | [email protected] | 9.2 | 0.06% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25237 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0. | [email protected] | 9.2 | 0.16% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25236 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0. | [email protected] | 6.9 | 0.06% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25235 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0. | [email protected] | 8.2 | 0.06% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25234 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0. | [email protected] | 5.3 | 0.06% | 2026-02-03 | 2026-02-05 |
| CVE-2026-25233 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0. | [email protected] | 7.1 | 0.05% | 2026-02-03 | 2026-02-05 |
| CVE-2022-24953 | The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions. | [email protected] | 5.3 | 0.39% | 2022-02-17 | 2024-11-21 |
| CVE-2017-5677 | PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression. | [email protected] | 9.8 | 6.32% | 2017-02-06 | 2026-05-13 |
| CVE-2009-4111 | Argument injection vulnerability in Mail/sendmail.php in the Mail package 1.1.14, 1.2.0b2, and possibly other versions for PEAR allows remote attackers to read and write arbitrary files via a crafted $recipients parameter, and possibly other parameters, a different vulnerability than CVE-2009-4023. | [email protected] | 6.8 | 0.71% | 2009-11-29 | 2026-04-23 |
| CVE-2009-4025 | Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party information. | [email protected] | 10.0 | 5.80% | 2009-11-29 | 2026-04-23 |
| CVE-2009-4024 | Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: this has also been reported as a shell metacharacter problem. | [email protected] | 10.0 | 2.65% | 2009-11-29 | 2026-04-23 |
| CVE-2009-4023 | Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111. | [email protected] | 7.5 | 3.14% | 2009-11-29 | 2026-04-23 |
| CVE-2007-5934 | The LOB functionality in PEAR MDB2 before 2.5.0a1 interprets a request to store a URL string as a request to retrieve and store the contents of the URL, which might allow remote attackers to use MDB2 as an indirect proxy or obtain sensitive information via a URL into a form field in an MDB2 application, as demonstrated by a file:// URL or a URL for an intranet web site. | [email protected] | 4.3 | 0.94% | 2007-11-13 | 2026-04-23 |
| CVE-2007-3628 | Unspecified vulnerability in the fetch function in MDB2.php in PEAR Structures-DataGrid-DataSource-MDB2 0.1.9 and earlier allows attackers to "manipulate the generated sorting queries." | [email protected] | 5.0 | 0.38% | 2007-07-09 | 2026-04-23 |
| CVE-2006-0932 | Directory traversal vulnerability in zip.lib.php 0.1.1 in PEAR::Archive_Zip allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a ZIP archive. | [email protected] | 5.0 | 1.26% | 2006-02-28 | 2026-04-16 |
| CVE-2006-0931 | Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive. | [email protected] | 5.0 | 1.43% | 2006-02-28 | 2026-04-16 |
| CVE-2006-0869 | Directory traversal vulnerability in the "remember me" feature in liveuser.php in PHP Extension and Application Repository (PEAR) LiveUser 0.16.8 and earlier allows remote attackers to determine file existence, and possibly delete arbitrary files with short pathnames or possibly read arbitrary files, via a .. (dot dot) in the store_id value of a cookie. | [email protected] | 6.4 | 14.18% | 2006-02-23 | 2026-04-16 |