PEAR Has a Predictable Verification Hash in Election Account Requests

8.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.

Basic Information

ID CVE-2026-25235

Source GitHub_M

Published Feb 3, 2026 at 18:29

Affected Product

Vendor pear

Product pearweb

Version < 1.33.0

Affected Versions pear pearweb < 1.33.0

CWE Classification

CWE-337

References

github.com /pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf

{
    "lastseen": "",
    "description": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.",
    "published": "2026-02-03T18:29:39.698Z",
    "modified": "2026-02-03T18:29:39.698Z",
    "type": "cve",
    "title": "PEAR Has a Predictable Verification Hash in Election Account Requests",
    "source": "GitHub_M",
    "references": "https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf",
    "id": "CVE-2026-25235",
    "bulletinFamily": "",
    "cwe": [
        "CWE-337"
    ],
    "cvelist": null,
    "sourceData": "pear pearweb < 1.33.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pearweb",
    "version": "< 1.33.0",
    "vendor": "pear",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

PEAR Has a Predictable Verification Hash in Election Account Requests_CVE-2026-25235