Description
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0.
Published: 2026-02-03
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Apply Patch
AI Analysis

Impact

A vulnerable version of PEAR’s apidoc queue management accepts an unescaped filename that is directly concatenated into a SQL statement, creating a classic SQL injection flaw (CWE-89). An attacker who can influence the filename sent to the insert operation may manipulate the SQL query, potentially gaining unauthorized data read or even write access depending on the underlying database privileges. The flaw remains before version 1.33.0 and was addressed by the vendor in that release.

Affected Systems

The affectation targets the PEAR framework component known as Pearweb. All deployments using PEAR prior to the 1.33.0 release are susceptible; later releases contain the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 8.2, indicating high severity, but its EPSS score is below 1%, suggesting a low probability of exploitation as of current data. The issue is not listed in CISA’s KEV catalog. Exploitation typically requires the ability to submit a crafted filename to the apidoc queue insertion endpoint, which is commonly exposed through web interfaces or API calls that accept user input without validation. Attackers would inject malicious SQL via the filename parameter, which the application then trusts and executes.

Generated by OpenCVE AI on April 18, 2026 at 00:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PEAR version 1.33.0 or later to apply the vendor patch
  • If an upgrade is not immediately possible, validate and escape all filename inputs before database insertion, ensuring they contain only alphanumeric characters and allowed symbols
  • Configure a web application firewall or input sanitization layer to block suspicious payloads and monitor application logs for abnormal query activities

Generated by OpenCVE AI on April 18, 2026 at 00:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pear:pearweb:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pear
Pear pearweb
Vendors & Products Pear
Pear pearweb

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0.
Title PEAR is Vulnerable to SQL Injection in apidoc_queue Insert via Unescaped Filename
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pear Pearweb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:16:47.763Z

Reserved: 2026-01-30T14:44:47.329Z

Link: CVE-2026-25239

cve-icon Vulnrichment

Updated: 2026-02-04T21:16:44.801Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:25.157

Modified: 2026-02-05T18:00:51.113

Link: CVE-2026-25239

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses