CVE-2026-25233
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-02-03

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25233
EUVD
EUVD-2026-5202
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pear pearweb to 1.33.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-783 The product uses an expression in which operator precedence causes incorrect logic to be used.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25233 is a high-severity authorization bypass vulnerability in the PEAR framework caused by a logic bug related to operator precedence in the roadmap role check.

Specifically, the condition used to verify if a user is a lead maintainer is incorrectly evaluated due to improper operator precedence, allowing non-lead maintainers to bypass this check.

As a result, unauthorized users can create, update, or delete roadmaps, effectively escalating their privileges in roadmap management.

This issue affects versions prior to 1.33.0 and was fixed in version 1.33.0.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows unauthorized users who are not lead maintainers to gain elevated privileges to create, update, or delete roadmaps.'}, {'type': 'paragraph', 'content': 'Such unauthorized modifications can lead to data integrity issues, disruption of project planning, and potential misuse or manipulation of roadmap information.'}, {'type': 'paragraph', 'content': "If exploited, it could undermine trust in the system's access controls and potentially affect the overall security posture of applications relying on this framework."}] [1]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is caused by a logic error in the roadmap role check in the pearweb project, specifically in the file public_html/bugs/roadmap.php around line 90. Detection would involve verifying the version of the PEAR framework in use and inspecting the authorization logic in the roadmap management functionality.'}, {'type': 'paragraph', 'content': 'Since the issue is a logic bug allowing non-lead maintainers to create, update, or delete roadmaps, one way to detect exploitation is to audit user actions related to roadmap modifications and check if users without lead maintainer roles have performed such actions.'}, {'type': 'paragraph', 'content': 'Commands to detect the vulnerability could include:'}, {'type': 'list_item', 'content': 'Check the installed PEAR version: `pear version` or inspect the version in the application metadata.'}, {'type': 'list_item', 'content': "Search for the vulnerable code pattern in the source: `grep -n '!\\$bugtest->role == 'lead'' public_html/bugs/roadmap.php`"}, {'type': 'list_item', 'content': 'Audit logs for unauthorized roadmap changes by non-lead users, depending on your logging system.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the PEAR framework to version 1.33.0 or later, where this logic bug has been fixed.

Until the upgrade can be applied, restrict access to the roadmap management functionality to only trusted lead maintainers and monitor for unauthorized changes.

Additionally, review and patch the authorization logic in the roadmap role check to correct the operator precedence error if an upgrade is not immediately possible.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25233. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart