MidnightBSD

Advisories for pear

CVE-2005-4730 HIGH

Unspecified vulnerability in PEAR Text_Password 1.0 has unknown impact and attack vectors, related to "problematic seeding" of the random number generator, possibly predictable seeds.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
pear text_password 1.0
CVE-2006-0868 HIGH

Multiple unspecified injection vulnerabilities in unspecified Auth Container back ends for PEAR::Auth before 1.2.4, and 1.3.x before 1.3.0r4, allow remote attackers to "falsify authentication credentials," related to the "underlying storage containers."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
pear xml_rpc 1.2.0rc7
pear xml_rpc 1.2.2
pear xml_rpc 1.0.2
pear xml_rpc 1.1.0
pear xml_rpc 1.3.0rc2
pear xml_rpc 1.3.0rc3
pear xml_rpc 1.2.0rc5
pear xml_rpc 1.2.1
pear xml_rpc 1.2.0
pear xml_rpc 1.0.4
pear xml_rpc 1.2.0rc2
pear xml_rpc 1.3.0rc1
pear xml_rpc 1.2.0rc1
pear xml_rpc 1.2.0rc6
pear xml_rpc 1.2.0rc4
pear xml_rpc 1.2.0rc3
pear xml_rpc 1.0.3
CVE-2006-0869 MEDIUM

Directory traversal vulnerability in the "remember me" feature in liveuser.php in PHP Extension and Application Repository (PEAR) LiveUser 0.16.8 and earlier allows remote attackers to determine file existence, and possibly delete arbitrary files with short pathnames or possibly read arbitrary files, via a .. (dot dot) in the store_id value of a cookie.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
pear pear_liveuser 0.16.5
pear pear_liveuser 0.5
pear pear_liveuser 0.16.1
pear pear_liveuser 0.11.0
pear pear_liveuser 0.16.6
pear pear_liveuser 0.15.1
pear pear_liveuser 0.13.2
pear pear_liveuser 0.8
pear pear_liveuser 0.7
pear pear_liveuser 0.6.1
pear pear_liveuser 0.9
pear pear_liveuser 0.13.1
pear pear_liveuser 0.8.1
pear pear_liveuser 0.10.0
pear pear_liveuser 0.14.0
pear pear_liveuser 0.5.1
pear pear_liveuser 0.6
pear pear_liveuser 0.12.0
pear pear_liveuser 0.3
pear pear_liveuser 0.13.0
pear pear_liveuser 0.16.0
pear pear_liveuser 0.16.2
pear pear_liveuser 0.16.3
pear pear_liveuser 0.16.7
pear pear_liveuser 0.16.8
pear pear_liveuser 0.13.3
pear pear_liveuser 0.16.4
pear pear_liveuser 0.15.0
pear pear_liveuser 0.11.1
CVE-2006-0931 MEDIUM

Directory traversal vulnerability in PEAR::Archive_Tar 1.2, and other versions before 1.3.2, allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a TAR archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
pear pear_archive_tar *
CVE-2006-0932 MEDIUM

Directory traversal vulnerability in zip.lib.php 0.1.1 in PEAR::Archive_Zip allows remote attackers to create and overwrite arbitrary files via certain crafted pathnames in a ZIP archive.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
pear pear_archive_zip 1.1
CVE-2017-5677 HIGH

PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerability in the PHP Serializer. It allows remote code execution. In one viewpoint, the root cause is an incorrect regular expression.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
pear html_ajax 0.3.3
pear html_ajax 0.5.5
pear html_ajax 0.3.0
pear html_ajax 0.5.2
pear html_ajax 0.3.2
pear html_ajax 0.3.1
pear html_ajax 0.5.7
pear html_ajax 0.4.1
pear html_ajax 0.5.1
pear html_ajax 0.5.3
pear html_ajax 0.4.0
pear html_ajax 0.5.4
pear html_ajax 0.5.0
pear html_ajax 0.3.4
pear html_ajax 0.5.6
CVE-2022-24953 MEDIUM

The Crypt_GPG extension before 1.6.7 for PHP does not prevent additional options in GPG calls, which presents a risk for certain environments and GPG versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-88,

Products Affected

Vendor Product Version
pear crypt_gpg *
CVE-2026-25233

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25234

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25235

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25236

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25237

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25238

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25239

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25240

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *
CVE-2026-25241

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0.

Products Affected

Vendor Product Version
pear pearweb *