Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0.
Published: 2026-02-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise via SQL Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic SQL injection (CWE-89) that occurs when the category deletion endpoint accepts a category ID without proper sanitization. An attacker who can reach the category manager interface can inject arbitrary SQL through the ID field, potentially reading, modifying, or deleting data in the underlying database. This could expose sensitive data, alter business logic, or disrupt service.

Affected Systems

The issue is present in all releases of PEAR’s pearweb component before version 1.33.0. Peart is a framework that ships PHP components. The only affected product is pearweb; no explicit list of operating systems is given, so the vulnerability exists wherever the vulnerable pearweb application is deployed as long as the attacker can access the category manager.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; the EPSS score is less than 1 %, suggesting that exploit attempts are rare at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to authenticate or otherwise gain access to the category manager workflow, making the attack vector more local. Based on the description, it is inferred that local access is required because the vulnerability is tied to category manager workflow rather than exposed publicly. If those conditions are met, the attacker can inject SQL statements to manipulate database contents.

Generated by OpenCVE AI on April 18, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PEAR pearweb to version 1.33.0 or later
  • Restrict access to the category manager workflow to trusted users only
  • Implement input validation or parameterized queries for category identifiers
  • Monitor web application logs for attempts to inject SQL commands

Generated by OpenCVE AI on April 18, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pear
Pear pearweb
Vendors & Products Pear
Pear pearweb

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0.
Title PEAR is Vulnerable to SQL Injection in Category Deletion
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pear Pearweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:15:38.932Z

Reserved: 2026-01-30T14:44:47.328Z

Link: CVE-2026-25234

cve-icon Vulnrichment

Updated: 2026-02-04T21:15:36.091Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:23.203

Modified: 2026-02-05T18:08:05.863

Link: CVE-2026-25234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses