A flaw in the Pear framework allows attackers to craft an email address containing malicious SQL code when deleting a bug subscription. The deletion routine does not properly sanitize the email input, creating an injection point that can be used to read, modify, or delete database records. This weakness is classified as CWE‑89 and can lead to full compromise of the underlying database. The impact is significant, granting an attacker unauthorized access to data and potentially allowing further pivoting within the affected system.

The vulnerability exists in all releases of the Pearweb distribution system prior to version 1.33.0. Any installation of Pear that includes the undeleted bug subscription component and is running a version older than 1.33.0 is susceptible.

The CVSS score of 9.2 indicates critical severity. Although the EPSS score is less than 1%, suggesting a low probability of widespread exploitation at present, the availability of a critical patch and public disclosures mean that attackers may still target these systems. The likely attack vector is via the bug subscription deletion endpoint; an attacker who can submit a crafted email address—potentially requiring authenticated access to that functionality—may inject arbitrary SQL. The lack of input validation combined with ultimate database access makes this a high‑risk vulnerability that requires prompt remediation.