Pear
by Pear
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2007-2519 | 0.04 | — | 0.07 | May 22, 2007 | Directory traversal vulnerability in the installer in PEAR 1.0 through 1.5.3 allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the (1) install-as attribute in the file element in package.xml 1.0 or the (2) as attribute in the… | |||
| CVE-2026-25241 | 0.00 | — | 0.00 | Feb 3, 2026 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get// endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched… | |||
| CVE-2026-25240 | 0.00 | — | 0.00 | Feb 3, 2026 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in… | |||
| CVE-2026-25239 | 0.00 | — | 0.00 | Feb 3, 2026 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version… | |||
| CVE-2026-25238 | 0.00 | — | 0.00 | Feb 3, 2026 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0. | |||
| CVE-2026-25237 | 0.00 | — | 0.00 | Feb 3, 2026 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue… | |||
| CVE-2026-25236 | 0.00 | — | 0.00 | Feb 3, 2026 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0. | |||
| CVE-2026-25234 | 0.00 | — | 0.00 | Feb 3, 2026 | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in… | |||
| CVE-2011-1144 | 0.00 | — | 0.00 | Mar 3, 2011 | The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of… | |||
| CVE-2011-1072 | 0.00 | — | 0.00 | Mar 3, 2011 | The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519. | |||
| CVE-2009-4025 | 0.00 | — | 0.06 | Nov 29, 2009 | Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party… | |||
| CVE-2009-4024 | 0.00 | — | 0.06 | Nov 29, 2009 | Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: this has also been reported as a shell metacharacter problem. | |||
| CVE-2009-4023 | 0.00 | — | 0.02 | Nov 29, 2009 | Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111. |
- CVE-2007-2519May 22, 2007risk 0.04cvss —epss 0.07
Directory traversal vulnerability in the installer in PEAR 1.0 through 1.5.3 allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the (1) install-as attribute in the file element in package.xml 1.0 or the (2) as attribute in the…
- CVE-2026-25241Feb 3, 2026risk 0.00cvss —epss 0.00
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get// endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched…
- CVE-2026-25240Feb 3, 2026risk 0.00cvss —epss 0.00
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (...) clause. This issue has been patched in…
- CVE-2026-25239Feb 3, 2026risk 0.00cvss —epss 0.00
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version…
- CVE-2026-25238Feb 3, 2026risk 0.00cvss —epss 0.00
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0.
- CVE-2026-25237Feb 3, 2026risk 0.00cvss —epss 0.00
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue…
- CVE-2026-25236Feb 3, 2026risk 0.00cvss —epss 0.00
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (...) list. This issue has been patched in version 1.33.0.
- CVE-2026-25234Feb 3, 2026risk 0.00cvss —epss 0.00
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in…
- CVE-2011-1144Mar 3, 2011risk 0.00cvss —epss 0.00
The installer in PEAR 1.9.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories. NOTE: this vulnerability exists because of…
- CVE-2011-1072Mar 3, 2011risk 0.00cvss —epss 0.00
The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519.
- CVE-2009-4025Nov 29, 2009risk 0.00cvss —epss 0.06
Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party…
- CVE-2009-4024Nov 29, 2009risk 0.00cvss —epss 0.06
Argument injection vulnerability in the ping function in Ping.php in the Net_Ping package before 2.4.5 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: this has also been reported as a shell metacharacter problem.
- CVE-2009-4023Nov 29, 2009risk 0.00cvss —epss 0.02
Argument injection vulnerability in the sendmail implementation of the Mail::Send method (Mail/sendmail.php) in the Mail package 1.1.14 for PEAR allows remote attackers to read and write arbitrary files via a crafted $from parameter, a different vector than CVE-2009-4111.